Startup Applications List
Unfortunately, due to a change in my circumstances, the startup programs database here at Sysinfo.org will no longer be updated and the off-line downloads are no longer available. The version at Pacman's Portal will, however, continue to be updated and it's recommended that you refer to that site for more up to date information. The reason for this change in policy cannot be disclosed at this time but I hope you have enjoyed using the database here and thank you for your support and kind comments over the years.
If you're frustrated with the time it takes your Windows 7/Vista/XP PC to boot and then it seems to be running slowly you may have too many programs running at start-up - and you have come to the right place to identify them. This is the original startup programs (as opposed to processes/tasks) list - one of the most accurate and comprehensive. Services are not included - see below. The database is mirrored in a slightly different format at Pacman's Portal.
"Name or Startup Item" in the table below refers to how an entry is displayed in MSConfig, Windows Defender or the registry "Run" keys. "Command or Data" refers to the program the entry runs. For further information on this and how to identify and disable startup programs you may want to also visit this page.
For further information on random startup entries please visit the Startups Info page.
Last update :- 29th July, 2011
24133 items listed
|Name or Startup Item||Status||Command or Data||Description||Tested?|
|!NoLoad||N||winrecon.exe||WinRecon keystroke logger/monitoring program - remove unless you installed it yourself!||No|
|%Windir%\winnl.exe||X||winnl.exe||Added by the KIDKITI TROJAN!||No|
|%Windir%\winnm.exe||X||winnm.exe||Added by the KIDKITI TROJAN!||No|
|(*)API Machine||X||winSOCKS.exe||Homepage hijacker, see here (* = any digit)||No|
|(*)Run||X||win32API.exe||Homepage hijacker, see here (* = any digit)||No|
|(Default)||X||winhelp.exe||Added by the BLACKMAL.C WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank||No|
|(Default)||X||winbas12.exe||Adware, CoolWebSearch parasite related - detected by Kaspersky as the VB.DU TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank||No|
|(default)||X||winlog.exe||Added by the RBOT-CVY WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank||No|
|(Default)||X||winligom.exe||Added by the RBOT-GAI WORM! Note - this malware actually changes the value data of the "(Default)" key in HKCU\Run, HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank||No|
|(default)||X||WINLOGON.EXE||Added by the DELF-LP TROJAN! Note - this malware actually changes the value data of the "(default)" key in HKCU\Policies\Explorer\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank||No|
|(Default)||X||winweng.exe||Added by the AGENT-SB MALWARE! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank||No|
|*Microsoft Update||X||wstcl.exe||Added by the STMU TROJAN!||No|
|*Microsoft Update||X||wucxt.exe||Added by the STMU TROJAN!||No|
|*Microsoft Update||X||wuytc.exe||Added by the STMU TROJAN!||No|
|*WerKernelReporting||N||WerFault.exe||Part of Windows Error Reporting technology (WER) for Vista. WER captures software crash and hang data from end-users who agree to report it - see here||No|
|*windows update||X||wrauclt.exe||Added by the RBOT-QU WORM!||No|
|*windows update||X||wuanclt.exe||Added by the RBOT-PG WORM!||No|
|*windows update||X||wuaucrlt.exe||Added by the SPYBOT.HUR WORM!||No|
|*windows update||X||wuraclt.exe||Added by the RBOT-PO WORM!||No|
|*windows update||X||wurauclt.exe||Added by the RBOT-SY WORM!||No|
|*windows update||X||wsctl.exe||Added by the SPYBOT.PR WORM!||No|
|*windows update||X||wkmst.exe||Added by the SDBOT.AVD WORM!||No|
|*windows update||X||wscxt.exe||Added by the RBOT.AOS WORM!||No|
|*windows update||X||waurclt.exe||Added by a variant of the RBOT WORM!||No|
|*windows update||X||wuaruclt.exe||Added by the RBOT-TF WORM!||No|
|*windows update||X||wruaclt.exe||Added by the RBOT-QP BACKDOOR!||No|
|*windows update||X||wruauclt.exe||Added by the RBOT-SF WORM!||No|
|*windows update||X||wuacrlt.exe||Added by the RBOT-QI WORM!||No|
|*windows update||X||wuruclt.exe||Added by the RBOT-TA WORM!||No|
|*winstats||X||winstats.exe||Added by the GARGAFX TROJAN!||No|
|*wmstu||X||wmstu.exe||Added by the RBOT-TV WORM!||No|
|*wuauclt.exe||X||w****.exe [* = random char]||Added by a variant of the RBOT-UG WORM! Note - * in the filename represents a random char; variants spotted: wxmct.exe, wtmsv.exe, wxmst.exe, wmsvc.exe and so on...||No|
|,main drive Loader||X||wininfo.exe||Suspected malware as it appears in 3 different registry locations - see here||No|
|.Prog||X||winlogon.exe||Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup!||No|
|.service||X||winlgon.exe||Added by the BDOOR-BX BACKDOOR!||No|
|0190 Warner||U||WARN0190.EXE||German anti-dialer - see here||No|
|0900 Warner||U||WARN0900.EXE||German anti-dialer - see here||No|
|123||X||wintask.exe||Added by the LEGMIR-AY TROJAN!||No|
|252||X||winmgr.exe||Added by the LEGMIR-AT TROJAN!||No|
|9m||X||winlog0n.exe||Added by the LEGMIR-AQK TROJAN!||No|
|@||X||wincms.exe||Added by the RBOT.CBR WORM!||No|
|@||X||winsys32.exe||Added by the DELF.CP BACKDOOR! Note that the entry under the Startup Item/Name field my be blank||No|
|A New Windows Updater||X||w32NTupdt.exe||Added by the MYTOB.BM WORM!||No|
|a-winpoet-service||Y||winpppoverethernet.exe||WinPoET is the industry's first Windows-based PPP over Ethernet client. Developed by iVasion, WinPoET is attractive to equipment providers, modem suppliers, RBOCs and ISPs. For more info read here. It uses dial-up networking for new high-speed internet customers who are more familiar with analogue modems. If unchecked in MSCONFIG it reports Error 360 - Hardware Error in dial-up networking||No|
|Access Control App||X||winsto.exe||Added by the AGENT.DGO TROJAN!||No|
|ActiveSync||X||wcescom32.exe||Added by the MANCSYN-E TROJAN!||No|
|AdAware||X||wini.exe||Added by the RBOT-XN WORM!||No|
|Additional Guard||X||WI[random characters].exe||Additional Guard rogue security software - not recommended, removal instructions here||No|
|Administrator||X||winlogon.exe||Added by the RUBBLE-C WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup!||No|
Notes & Warnings
DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. We will not be held responsible if changes you make cause a system failure.
WARNING: This is NOT a database of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a database of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try the Process Library from Uniblue, the list at PC Pitstop or one of the many others now available. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSConfig or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
To avoid the database becoming too large, all virus entries are only shown using the registry version which is common to all Windows versions. Otherwise there would be multiple entries for popular filenames that viruses often use - such as "svchost" above for example. Multiple viruses can also use the same startup entries, in this case only those with significant differences (such as file location) are repeated in this database.
NOTE: There are a number of virus and malware entries listed in this database where specific removal instructions haven't been given. If this is the case then you could try ComboFix, a program written by sUBs that can remove many different types of Trojans and Worms. See here for a tutorial on how to use the program
IMPORTANT: A number of entries are repeated due to the way that different operating systems display startup items. For example, WinMe lists "POPROXY.EXE" as "Norton eMail Protect" in both MSCONFIG and the registry whereas WinXP lists it as "Poproxy" in MSCONFIG and "Norton eMail Protect" in the registry.
SERVICES: "Services" from the NT/2K/XP/Vista/7 operating systems are not included. I fully understand that some programs with these OS's use "Services" as an alternative to load their component parts at startup but these are handled in a different way. We recommend you try BlackViper for information on services for the relevant operating systems.
If you're looking for a startup manager then why not try Spybot - Search & Destroy (by Safer Networking Ltd) as the startup programs section (select the Advanced mode) includes descriptions from this database. You might also want to try their RunAlyzer and FileAlyzer tools.As there are more than 10,000 entries in this database related to viruses, trojans, worms and other malware we recommend you use a quality internet security package. Which ever you choose, keep it updated.
Presentation, format & comments Copyright © 2001 - 2011 Pacman's Portal
Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein, CastleCops & Bleeping Computer
Database creation and support by Patrick Kolla
Software support by John Mayer
All rights reserved