CrowdStrike Update Causes BSOD Issues Globally – Audit Available 🛡️ Learn more

TRY NOW
Pro Tips

Discover Startup Applications

5 min. read
26/04/2024
By Esben Dochy
Discover Startup Applications

Pro Tips #53

Part of ensuring compliance, performance and security is checking for startup applications. Startup applications can slow down the login process for users, it can be a severe security problem when applications silently run in the background without your knowledge and can lead to breaches of your company policy.

Having all the detailed data about your startup applications can help you with many scenarios including optimizing performance by identifying and disabling unnecessary programs, managing system resources more effectively, enhancing security by detecting malware and potentially unwanted software, troubleshooting startup issues, protecting privacy by preventing unauthorized programs from running, and ultimately reducing boot times for a smoother user experience. But first, let’s dive into how to set it all up.

Autorun Scan Settings

Startup applications, or as they are branded in Lansweeper “Autorun” items, are automatically scanned every 30 days. Obviously, to ensure that your data is up-to-date, you might want to increase this interval. Especially if you want to keep a closer eye on these items.

In Lansweeper On-prem, you’ll find the Scanned item interval in the scanning menu. Here you can adjust how frequently Windows items are scanned and whether history is kept. Setting the Refresh to 0 means the item is rescanned with every scan. Any other value equals the number of days before the item is rescanned.

scanned item interval

Now every time your asset is scanned the startup applications will also be scanned, and you will have history on it as well which will let you report on new startup applications that have entered your environment.

Analyzing The Results

There are quite a few built-in reports about startup applications, you can find them easily by searching for “Autorun”. However, they are all for very specific startup applications.

Startup Applications Overview

First thing I created is a report that gives you a simple overview of all startup applications per device. Quite a simple report just to have all the data in one big list. You can also use this as a template should you want to create more specific reports yourself.

Startup Application Overview

Startup Applications per Asset

Second is a report that counts the number of startup applications per asset. In Lansweeper on-prem this can also be used in a dashboard chart widget, but I think it’s better as a regular report since it will have a lot of entries. It lets you easily find assets that have a large number of startup items.

Startup Applications per Asset

Startup Applications History

The main goal of keeping startup application history is to be able to see when new entries occurred. Generally speaking, you want to be aware when new startup applications are created, especially since those could be malicious. This report gives you all the changes in the last 7 days, but feel free to adjust it if you want.

Startup Application History

Startup Application Charts

I have created multiple charts for the on-premise dashboard widget. One that shows you the total number of times a specific startup application is present in your environment. Great to find the most popular startup applications.

One that shows the number of enabled startup applications per asset, further down you will see how we get the status of a startup application.

Lastly, the startup application per asset. As I mentioned above, this can also be used as a chart.

Startup Application Charts

Scanning Startup Application Status

Now comes the non-default, harder part. I’m using a similar trick I used when I created a Pro Tip to identify HDD vs SSDs. I create a PowerShell script that takes data from multiple registry keys and writes it to a single registry key. This lets us configure custom registry key scanning for a fixed registry key instead of dynamic ones.

Specifically: HKEY_LOCAL_MACHINE\SYSTEM\Startup

All you need to do is configure that registry key scan in Lansweeper, using the values 0 through 20. I stopped at 20 because I assume a single device won’t have more than 20 startup applications. You can go higher if you want.

registry key scanning example

How you deploy the script I will mostly leave up to you. But you can also use this deployment package in Lansweeper on-prem if you want.

Download PowerShell script and Lansweeper Deployment package

Scanned Registry Data

Once the script has run, the assets have been rescanned, you’ll notice that we’ve scanned the startup application name and status in number format.

registry key data example

Using some reporting magic, we’re able to pull this data apart, link it based on the application name and translate the value to statuses. Which after a longer than expected session of googling pointed to the fact that even numbers mean Enabled, while uneven mean Disabled.

That is how we get to our last report, a combination of the startup applications scanned via WMI and the status scanned via the registry. This is also how we’re able to create the chart I mentioned earlier that lists the number of enabled startup applications per device.

Startup Application Status Audit

All of the resources above should give you some nice tools to manage the startup applications a bit better. Specifically, the number of enabled startup applications and the historical audit have a lot of value when it comes to preventing user complains of slow or long booting processes and ensuring they don’t run any malicious software without your knowledge!

NO CREDIT CARD REQUIRED

Ready to get started?
You’ll be up and running in no time.

Explore all our features, free for 14 days.