none
Registry key StartupApproved ignored? RRS feed

  • Question

  • Disabling/Enabling autoruns stored in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key seems to have no effect as corresponding entries at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved remain unchanged.

    Is this a bug or expected behavior?

    Friday, May 22, 2020 11:37 AM

Answers

  • Not all entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run will necessarily have a corresponding entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved. Many of the programs autoruns is designed to detect for example don't play by the rules. In addition this behaviour varies between operating systems.Effectively removing the value from HKCU\Software\Microsoft\Windows\CurrentVersion\Run however will prevent execution irrespective of platform.

    That said I have added an item to the autoruns backlog to see how we might enhance autoruns to take advantage of the information stored in StartupApproved - in addition to disabling the application via this value where it exists for example we might be able to highlight any applications that don't have a corresponding entry under StartupApproved.

    MarkC(MSFT)

    • Marked as answer by swust91413 Friday, May 29, 2020 11:46 AM
    Friday, May 29, 2020 7:11 AM

All replies

  • Not sure I understand the question. Are you talking about an application that is configured to launch via multiple ASEPs ? Are both of these being discovered by Autoruns but have to be deleted individually?

    MarkC(MSFT)

    Tuesday, May 26, 2020 6:17 AM
  • As far as I can see, every value at HKCU\Software\Microsoft\Windows\CurrentVersion\Run is paired to a corresponding one at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved.

    Disabling an application via Autoruns moves the value to the subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDiabled but leaves the value at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved untouched.

    Diabling an application via the Task Manager's Startup tab works the other way round: The HKCU\Software\Microsoft\Windows\CurrentVersion\Run remains unchanged while the value at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved changes (specifically the first byte seems to indicate the status).

    Autoruns seems to ignore this. After disabling an application via the Task Manager, the corresponding checkbox in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run section remains checked but the program isn't executed at startup.

    IMO the correct behavior for Autoruns would be not to move the value to a subkey but to change the corresponding value at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved to disabled.




    • Edited by swust91413 Wednesday, May 27, 2020 2:16 PM
    Wednesday, May 27, 2020 2:15 PM
  • Not all entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run will necessarily have a corresponding entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved. Many of the programs autoruns is designed to detect for example don't play by the rules. In addition this behaviour varies between operating systems.Effectively removing the value from HKCU\Software\Microsoft\Windows\CurrentVersion\Run however will prevent execution irrespective of platform.

    That said I have added an item to the autoruns backlog to see how we might enhance autoruns to take advantage of the information stored in StartupApproved - in addition to disabling the application via this value where it exists for example we might be able to highlight any applications that don't have a corresponding entry under StartupApproved.

    MarkC(MSFT)

    • Marked as answer by swust91413 Friday, May 29, 2020 11:46 AM
    Friday, May 29, 2020 7:11 AM