Want to delay startup of program but can't find it in Task Scheduler

I'm trying to delay the startup of a specific program that loads at login. As per an answer in this question, I should be able to do it using Task Scheduler. The problem is, I can't find the program listed anywhere. Is there a particular pane I should be looking in? The program is Razer Synapse so I don't think it would be in the Microsoft or Western Digital folders.

screen shot of my task scheduler

If it's not in Task Scheduler, is there another way I can delay it at startup?

Out of curiosity how many ways are there for a program to be run at Startup in Windows?


Solution 1:

I can't find the program listed anywhere.

There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.

There are a few programs that allow easy checking of the startup locations.

  1. msconfig (Startup tab):

    enter image description here

  2. Autoruns from SysInternals:

    enter image description here

  3. WhatInStartup from NirSoft:

    enter image description here

  4. WinPatrol:

    enter image description here

    Note:

    • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"
    • You can specify the delay time if you do this.


    enter image description here


How many ways are there for a program to be run at Startup in Windows?

There are at least 17 locations from where programs can be started. See below.


Windows Program Automatic Startup Locations

Upon turning on the computer the following autostart locations are processed in the following order:

  1. Windows Boot Device Drivers

    • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.
    • Boot device drivers will be located under the following key and have a Start value equal to 0.


    Registry Keys:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
    

    Windows will now perform various tasks and then start the Winlogon process. Winlogon eventually starts the service control manager that loads services and drivers that are set for auto-start.

  2. Windows Auto-start Services & Drivers

    • The Service Control Manager (SCM) process (\Windows\System32\services.exe), will now launch any services or drivers that are marked with a Start value of 2.


    Registry Keys:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
    
  3. RunServicesOnce

    • This key is designed to start services when a computer boots up.
    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...\RunOnce registry can start loading its programs.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    
  4. RunServices

    • This key is designed to start services as well.
    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...\RunOnce registry can start loading its programs.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
    

    The Windows logon prompt is shown on the Screen. After a user logs in the rest of the keys continue.

  5. Notify

    • This key is used to add a program that will run when a particular event occurs.
    • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.
    • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will handle this event.
    • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the malware program to load in such a way that it is not easy to stop.


    Registry Key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    
  6. UserInit Key

    • This key specifies what program should be launched right after a user logs into Windows.
    • The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your user name.
    • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:

      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe.

    This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from. Registry Key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    
  7. Shell Value

    • This value contains a list of comma separated values that Userinit.exe will launch.
    • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts the shell, it will first launch the Shell value found in HKEY_CURRENT_USER. If this value is not present, it will then launch the value found in HKEY_LOCAL_MACHINE.


    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
    

    The rest of the Autostart locations will now be processed.

  8. RunOnce Local Machine Key

    • These keys are designed to be used primarily by Setup programs.
    • Entries in these keys are started once and then are deleted from the key.
    • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.
    • All entries in this key are started synchronously in an undefined order.
    • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...\Run, HKEY_CURRENT_USER...\Run, HKEY_CURRENT_USER...\RunOnce, and Startup Folders can be loaded.
    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    
  9. Run

    • These are the most common startup locations for programs to install auto start from.
    • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    
  10. All Users Startup Folder

    • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.


    It is generally found at:

    • Windows XP C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    • Windows NT C:\wont\Profiles\All Users\Start Menu\Programs\Startup

    • Windows 2000 C:\Documents and Settings\All Users\Start Menu\Programs\Startup

  11. User Profile Startup Folder

    • This folder will be executed for the particular user who logs in.


    This folder is usually found in:

    • Win 9X, ME c:\windows\start menu\programs\startup
    • Windows XP C:\Documents and Settings\LoginName\Start Menu\Programs\Startup
  12. RunOnce Current User Key

    • These keys are designed to be used primarily by Setup programs.
    • Entries in these keys are started once and then are deleted from the key.
    • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.
    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.
    • The RunOnce keys are not supported by Windows NT 3.51.


    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    
  13. Explorer Run

    • These keys are generally used to load programs as part of a policy set in place on the computer or user.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    
  14. Load Key

    • This key is not commonly used anymore, but can be used to auto start programs.


    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
    
  15. AppInit_DLLs

    • This value corresponds to files being loaded through the AppInit_DLLs Registry value.
    • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.
    • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also. This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability.
    • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.


    Registry Key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
    
  16. ShellServiceObjectDelayLoad

    • This Registry value contains values in a similar way as the Run key does.
    • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.
    • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.


    Registry Key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    
  17. SharedTaskScheduler

    • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.
    • The entries in this registry value run automatically when you start windows.


    Registry Key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    

The following are files that programs can autostart from on bootup:

  1. c:\autoexec.bat
  2. c:\config.sys
  3. windir\wininit.ini - Usually used by setup programs to have a file run once and then get deleted.
  4. windir\winstart.bat
  5. windir\win.ini - [windows] "load"
  6. windir\win.ini - [windows] "run"
  7. windir\system.ini - [boot] "shell"
  8. windir\system.ini - [boot] "scrnsave.exe"
  9. windir\dosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
  10. windir\system\autoexec.nt
  11. windir\system\config.nt

Source Windows Program Automatic Startup Locations


Disclaimer

I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.

Solution 2:

If your program isn't available in Task Scheduler, then it could be residing in the Registry or in the startup folder, or running as a background service.

Startup folder's location for all users is as follows:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Startup folder's location for current user is as follows:
C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Startup registry's location for all users is as follows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Startup registry's location for current user is as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Once you find your program name, you can safely disable it, and make a new task in the Task Scheduler and delay it as you need.

If you are not able to find your program is the above locations, the it could be residing in the services console. Hit start button and type services.msc and get services management console and you'll find your program there.

You can download Autoruns from Microsoft's SysInternal suite and check for yourself a whole bunch of startup programs.

Solution 3:

I made a batch file in order to find the location of the vbs malware and get its code source from the stratup folders :

Processes_Services_Tasks_Startup.bat

@echo off
cls & color 9E & Mode 95,5
Title Running Processes - Scheduled Tasks - Services - Startup items by Hackoo 2020
If [%1] NEQ [Admin] Goto RunAsAdmin

echo(
echo(                ===========================================================
echo(                    Please wait a while ... Working is in progress....
echo(                ===========================================================

Set "Filter_Ext=%Temp%\Filter_Ext"
Call :GetFileNameWithDateTime MyDate
Set "Log=%~dpn0_%Computername%_%MyDate%.txt"
Set "Lnk_Target_Path_Log=%~dp0Lnk_Target_Path_Log.txt"
Set "All_Users=%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Set "Current_User=%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
set "Winlogonkey=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set StartupFolders="%All_Users%" "%Current_User%"
If Exist "%Log%" Del "%Log%"
Set "VbsFile=%Tmp%\%~n0.vbs"
Call :Generate_VBS_File

  Powershell ^
  Get-WmiObject Win32_Process ^
| where commandline -NE $null ^
| Select-Object ProcessID,Name,CommandLine ^
| Out-String -Width 450 ^
| Findstr /I /V "Admin" ^
| Findstr /I /V "Get-WmiObject" ^
| Out-File "%Log%" -Encoding  ASCII 

  Powershell ^
  Get-CimInstance Win32_StartupCommand ^
| Select-Object Name,command,Location,user ^
| Format-List ^
| Out-File -Append "%Log%" -Encoding  ASCII

>"%Lnk_Target_Path_Log%" (
    @For %%A in (%StartupFolders%) Do (
        Call :Execute_VBS_File "%%~A"
    )
)

>> "%Log%" (Type "%Lnk_Target_Path_Log%")

> "%Filter_Ext%" (
    echo .vbs
    echo .vbe
    echo .js
    echo .jse
    echo .hta
    echo .bat
    echo .cmd
    echo .ps1
)

@for /f "delims=" %%a in ('Type "%Lnk_Target_Path_Log%" ^| Findstr /I /G:"%Filter_Ext%"') do (
    @for /f "tokens=2 delims==" %%b in ('echo %%a') do (
        >> "%Log%" 2>&1 (
            echo(
            echo ===================================================================================
            echo( Source code of TargetPath=%%b
            echo ===================================================================================
            Type %%b
        )
    )
)

Del "%Filter_Ext%" /F >nul 2>&1
Del "%Lnk_Target_Path_Log%" >nul 2>&1
SetLocal EnableDelayedExpansion
>> "%Log%" (
    echo(
    echo ****************************************************************************************************
    echo(                                 No Microsoft Scheduled Tasks List
    echo ****************************************************************************************************
    @For /F "tokens=2,9,17,19,20,21,22 delims=," %%a in ('SCHTASKS /Query /NH /FO CSV /V ^|find /I /V "Microsoft" ^|findstr /I /C:"VBS" /C:"EXE"') do (
        Set TaskName=%%~a
        Set TaskPath=%%~b
        Call :Trim_Dequote !TaskName! TaskName
        Call :Trim_Dequote !TaskPath! TaskPath
        echo "!TaskName!"
        echo "!TaskPath!"
        echo %%c;%%d;%%f;%%g
        echo( ---------------------------------------------------------------------------------------------------
    )
)

>> "%Log%" (
    echo(
    echo ****************************************************************************************************
    echo(                                 No Microsoft Services List
    echo ****************************************************************************************************
@for /f "tokens=*" %%a in (
    'WMIC service where "Not PathName like '%%Micro%%' AND Not PathName like '%%Windows%%'" get Name^,DisplayName^,PathName^,Status'
    ) do (
        @for /f "delims=" %%b in ("%%a") do (
            echo %%b
            )
    )
)

>> "%Log%" (
    echo(
    echo ****************************************************************************************************
    Reg Query "%Winlogonkey%" | find /I "userinit"
)

If Exist "%Log%" Start /MAX "Log" "%Log%" & Exit 
::-----------------------------------------------------------------------------------
:Trim_Dequote <Var> <NewVar>
(
    echo    Wscript.echo Trim_Dequote("%~1"^)
    echo    Function Trim_Dequote(S^)
    echo    If Left(S, 1^) = """" And Right(S, 1^) = """" Then Trim_Dequote = Trim(Mid(S, 2, Len(S^) - 2^)^) Else Trim_Dequote = Trim(S^)
    echo    End Function
)>"%VbsFile%"
for /f "delims=" %%a in ('Cscript //nologo "%VbsFile%"') do ( 
    set "%2=%%a" 
)
Del "%VbsFile%" /F >nul 2>&1
exit /b
REM ------------------------------------------------------------------------------
:GetFileNameWithDateTime <FileName>
for /f "skip=1" %%x in ('wmic os get localdatetime') do if not defined MyDate set "MyDate=%%x"
set "%1=%MyDate:~0,4%-%MyDate:~4,2%-%MyDate:~6,2%-%MyDate:~8,2%-%MyDate:~10,2%"
Exit /B
REM -----------------------------------------------------------------------------
:Generate_VBS_File
>"%VbsFile%" ( 
    echo    Option Explicit
    echo    Dim Ws,objStartFolder,objFSO,objFolder,colFiles
    echo    Dim objFile,strFilePath,Lnk,Title
    echo    Title = "Extracting Target Path from .lnk and .url files by Hackoo 2020"
    echo    Set Ws = CreateObject("Wscript.Shell"^)
    echo    If WSH.Arguments.Count = 0 Then MsgBox "Missing Arguments",vbExclamation,Title : Wscript.Quit(1^)
    echo    objStartFolder = WSH.Arguments(0^)
    echo    Set objFSO = CreateObject("Scripting.FileSystemObject"^)
    echo    Set objFolder = objFSO.GetFolder(objStartFolder^)
    echo    Set colFiles = objFolder.Files
    echo    For Each objFile in colFiles
    echo    strFilePath = objFile.Path
    echo      If Ucase(objFSO.GetExtensionName(strFilePath^)^) = "LNK"_
    echo       Or Ucase(objFSO.GetExtensionName(strFilePath^)^) = "URL" Then
    echo          Call ExtractTargetPath(strFilePath^)
    echo      End If
    echo    Next
    echo    '-------------------------------------------------------------
    echo    Sub ExtractTargetPath(Lnk^)
    echo    set Lnk = Ws.Createshortcut(Lnk^)
    echo    WScript.echo "Link="^& DblQuote(Lnk^) ^& vbcrlf ^&_
    echo    "Target="^& DblQuote(Lnk.TargetPath^) ^& vbcrlf ^&_
    echo    String(100,"-"^)
    echo    End Sub
    echo    '-------------------------------------------------------------
    echo    Function DblQuote(Str^)
    echo        DblQuote = Chr(34^) ^& Str ^& Chr(34^)
    echo    End Function
    echo    '-------------------------------------------------------------
)
Exit /B
REM -----------------------------------------------------------------------------
:Execute_VBS_File
cscript //nologo "%VbsFile%" "%~1"
Exit /B
REM -----------------------------------------------------------------------------
:RunAsAdmin
cls & color 9E & Mode 95,5
echo(
echo(               ===========================================================
echo(                    Please wait a while ... Running as Admin ....
echo(               ===========================================================
Powershell start -verb runas '%0' Admin & Exit
REM -----------------------------------------------------------------------------