[Answer] Is there any cleanup software for Windows 10?

[Answer] Is there any cleanup software for Windows 10?

I came across the Autoruns tool while trying to remove Alibaba’s alipaladin64.sys file and service. Companies like Alibaba, Tencent, and 360 have long taken advantage of their technical edge by embedding background services in their software without users’ clear knowledge, and by making those programs deeply rooted in the system so that once installed, they are difficult or impossible to uninstall or delete. When installing Alibaba-related software, Alibaba may automatically install a so-called “security” program called Ali Protect. This software is not fully compatible with Windows security policies and may cause memory leaks or create possible avenues for intrusion, so I needed to remove it. During that difficult uninstall process, I found Autoruns.

At first glance, Microsoft’s official Autoruns tool is hard to understand from the name alone. A literal translation would be something like “automatic run,” which sounds like a utility for automating program launches. In reality, Windows Sysinternals Autoruns for Windows is one of the best tools available for viewing, monitoring, and disabling startup programs. Normally, you can use Task Manager or the msconfig command to see auto-starting programs in Windows, but msconfig only shows startup items and services, and it does not verify digital signatures, so malware can easily evade detection there.

Autoruns does more than show programs in the Startup folder. It also displays programs configured to start automatically through Run / RunOnce and other registry entries. It further shows File Explorer and Internet Explorer extensions, toolbars, context menu handlers, drivers, services, Winlogon items, codecs, Winsock providers, and more. In short, Autoruns monitors and exposes almost all startup-related programs and entries in Windows for management.

The specific categories Autoruns can display include:

• Logon: Scans standard auto-start locations such as the current user and all users’ Startup folders, Run registry entries, and standard application startup locations.
• Explorer: Shows Explorer shell extensions, Browser Helper Objects, Explorer toolbars, Active Setup executables, and shell execute hooks.
• Internet Explorer: Shows Browser Helper Objects (BHOs), Internet Explorer toolbars, and extensions.
• Services: Displays all Windows services configured to start automatically when the system boots.
• Drivers: Shows all registered kernel-mode drivers on the system, except disabled ones.
• Scheduled Tasks: Displays Task Scheduler tasks configured to start at boot or logon.
• AppInit DLLs: Shows DLLs registered as application initialization DLLs.
• Boot Execute: Native images that run early in the boot process, before normal Windows images.
• Image Hijacks: Shows Image File Execution Options and command prompt auto-start settings.
• Known DLLs: Reports the locations of DLLs that Windows loads into applications that reference them.
• Winlogon Notifications: Shows DLLs registered for Winlogon logon event notifications.
• Winsock Providers: Displays registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock provider because few tools can remove them. Autoruns can disable them, though not remove them.
• LSA Providers: Shows authentication packages, notification packages, and security packages registered with the Local Security Authority (LSA).
• Printer Monitor Drivers: Displays DLLs loaded into the print spooler service. Malware has used this mechanism to auto-start itself.
• Sidebar: Shows Windows Sidebar gadgets.

You can open the utility by clicking Autoruns.exe. Under Options > Filter, it is usually a good idea to first enable Verify Code Signatures and Hide Signed Microsoft Entries. Then click Rescan or press F5 to refresh the scan.

If you do not want an entry to be activated the next time the system boots or a user logs in, you can disable or delete it. To disable an entry, simply uncheck it. To delete it, right-click the entry and choose Delete.

The right-click menu also lets you jump directly to the related registry location in Windows Registry or to the corresponding file in File Explorer by choosing Jump to Entry or Jump to Image.

The download package also includes an equivalent command-line tool, Autorunsc.exe, which can export output in CSV format.

Autoruns not only verifies the authenticity of everything loaded into Windows through cryptographic signature checking, but can also identify files that have been tampered with. By using Hide all Microsoft entries, you can more easily discover unnecessary or potentially dangerous entries, crapware, and third-party auto-start images added to your system, and then disable them with this excellent tool.

The Hide Signed Microsoft Entries option is especially useful for highlighting third-party startup images added to the system, and it also supports viewing startup images configured for other accounts on the machine. The download package includes the command-line equivalent as well, which can output results in CSV format through Autorunsc.

You can download this tool from Microsoft’s official download page.