This chapter covers Windows startup items and services, a core topic for the CompTIA A+ 220-1102 exam under Objective 1.2 (Operating Systems). Understanding how Windows manages programs that start automatically is essential for troubleshooting boot issues, optimizing performance, and securing systems. Approximately 10-15% of exam questions touch on startup configuration, services, and related tools like msconfig, Task Manager, and Services console.
Jump to a section
Imagine a cruise ship preparing to depart. The crew must board passengers in a specific order: first, essential staff (engineers, captain) to get the ship operational; then, service staff to set up dining and entertainment; finally, guests with special requests. Each passenger has a boarding pass with a priority code and dependencies. The cruise director uses a master checklist (the registry) that lists every passenger and their boarding time. Some passengers are 'run once' (like the safety drill), while others run every voyage. If a passenger’s pass says 'requires previous passenger to be seated', that passenger waits. The director can also add or remove passengers from the list. In Windows, startup items and services are like these passengers: they have a defined order, dependencies, and run at boot. The registry and system folders hold the 'boarding list'. Services are like essential crew that run in the background, while startup applications are like guests that appear on the desktop. Managing this list is critical for boot performance and security.
What Are Startup Items and Services?
Startup items are programs or scripts configured to run automatically when Windows boots or when a user logs on. Services are background processes that run independently of user sessions, often starting before logon. Both are managed via the registry, system folders, and administrative tools.
Windows Startup Locations
Windows checks multiple locations for startup programs. The most common are:
- Startup Folder (per-user): %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- Startup Folder (common): %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
- Registry Run keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Registry RunOnce keys:
- HKCU\...\RunOnce and HKLM\...\RunOnce – entries are executed once then deleted.
- Group Policy: Startup scripts via Computer Configuration\Windows Settings\Scripts (Startup/Shutdown).
- Scheduled Tasks: Tasks set to run at logon or system startup.
- Services: Many services are set to start automatically.
How Services Work
Services are managed by the Service Control Manager (SCM). Each service has a startup type:
Automatic: Starts at boot.
Automatic (Delayed Start): Starts shortly after boot to improve logon speed.
Manual: Started on demand.
Disabled: Cannot be started.
Services run under a security context (e.g., LocalSystem, NetworkService, LocalService). They can be configured via the Services console (services.msc), sc command, or PowerShell.
Key Tools for Managing Startup
System Configuration (msconfig): Allows enabling/disabling startup items, services, and boot options. On Windows 8/10/11, the Startup tab redirects to Task Manager.
Task Manager: On the Startup tab, you can see startup programs, their status, and impact (High, Medium, Low). Right-click to disable.
Services Console (services.msc): Lists all services, status, startup type, and dependencies.
Registry Editor (regedit): Directly manage Run keys.
Group Policy Editor (gpedit.msc): For domain-joined or Pro/Enterprise editions.
PowerShell: Cmdlets like Get-Service, Set-Service, Get-CimInstance Win32_StartupCommand.
Common Startup Items and Their Impact
Examples of startup items include antivirus software, cloud sync clients (Dropbox, OneDrive), hardware utilities (printer monitors), and instant messaging apps. Each adds to boot time. High impact items are those that perform network initialization or disk I/O.
Troubleshooting Startup Problems
Safe Mode: Boots with minimal drivers and services. Use to isolate problematic startup items.
Clean Boot: Using msconfig, disable all non-Microsoft services and startup items. Re-enable one by one.
System Configuration: Use the Selective Startup option to load only basic services.
Event Viewer: Check System and Application logs for service failures.
Autoruns (Sysinternals): Comprehensive tool showing every startup location.
Security Considerations
Malware often installs itself as a startup item or service. Common persistence mechanisms:
Adding to Run keys.
Creating a service with 'Automatic' start.
Using scheduled tasks.
Modifying the Startup folder.
Use Autoruns to identify suspicious entries. Disable or delete unknown items.
Best Practices
Disable unnecessary startup programs to improve boot time.
Change services that don't need to run always to Manual.
For delayed start services, use 'Automatic (Delayed Start)'.
Regularly review startup items with Task Manager or Autoruns.
Command-Line Examples
# List all services with status
sc query
# Start a service
sc start Spooler
# Set service to disabled
sc config Spooler start= disabled
# Using PowerShell
Get-Service | Where-Object {$_.StartType -eq 'Automatic'}
Set-Service -Name Spooler -StartupType Disabled
# Get startup commands
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location, UserRegistry Details
The Run keys support REG_SZ or REG_EXPAND_SZ values containing the full path to the executable. The RunOnce keys are similar but the value is deleted after execution. On Windows 10/11, the RunOnce key can also be set for 'next boot' only.
Interaction with Group Policy
Group Policy can enforce startup scripts and disable specific startup items via Administrative Templates (e.g., 'Do not process the legacy run list'). This is common in corporate environments.
Performance Impact
Each startup item adds to the time before the desktop becomes responsive. The 'Startup impact' in Task Manager is based on historical data from the Windows Performance Recorder. High impact items can add 1-3 seconds each.
Exam Tips
Know the difference between Startup folder and Run keys.
Remember that msconfig's Startup tab redirects to Task Manager on Windows 8+.
Understand that services can start before logon.
Be able to identify the tool for disabling a service: services.msc.
Recognize that Autoruns is the most comprehensive tool.
Boot Process Initiation
When the computer powers on, the BIOS/UEFI performs POST and loads the boot loader (bootmgr). The boot loader reads the Boot Configuration Data (BCD) and loads the Windows kernel (ntoskrnl.exe). The kernel initializes the Executive subsystem and the Service Control Manager (SCM) is started early in the boot process.
Service Control Manager Starts
The SCM (services.exe) reads the registry at `HKLM\SYSTEM\CurrentControlSet\Services` to enumerate all services. It determines the boot order based on the 'Start' value and 'Group' tags. Services with start type 'boot' (0) and 'system' (1) are loaded first, followed by 'auto' (2). The SCM also checks dependencies to ensure services start in the correct order.
Automatic Services Load
Services set to 'Automatic' start are loaded. For 'Automatic (Delayed Start)', the SCM sets a timer (typically 2 minutes after last automatic service start) before starting them. Each service runs in its own process (svchost.exe hosts many services) under a specific security context. If a service fails to start, the SCM may attempt to restart it based on recovery options.
User Logon Initiation
Once the boot phase completes, the Winlogon process presents the logon screen. After user authentication, the User Profile Service loads the user's registry hive (ntuser.dat). The Windows Explorer shell starts, and the system reads per-user startup locations.
Startup Items Execute
The shell (Explorer.exe) processes startup items from the registry Run keys and the Startup folder. Entries in `HKCU\...\Run` run in the user's context. The Startup folder items are launched via Explorer. Each item is executed sequentially but not waited on; they all start quickly. The 'Startup impact' in Task Manager is calculated from historical performance data.
RunOnce and Scheduled Tasks
After Run keys, the system processes RunOnce keys. These entries are executed once and then deleted. Additionally, scheduled tasks set to run at logon are triggered. The Task Scheduler service checks its task list and runs any tasks with the trigger 'At logon' or 'At startup'. This is a common persistence mechanism for malware.
Desktop Ready and Post-Logon
After all startup items have been launched, the desktop becomes responsive. However, some items may still be initializing in the background (e.g., network drives, cloud sync). The user can now interact with the system. The boot is considered complete when the desktop is interactive and the CPU usage stabilizes.
In a corporate environment with hundreds of Windows 10/11 workstations, managing startup items is crucial for user productivity. For example, a company deploys antivirus software, a VPN client, and a backup agent that all set themselves to start automatically. Over time, boot times increase from 30 seconds to over 2 minutes. The IT team uses Group Policy to disable unnecessary startup items via Administrative Templates (e.g., 'Do not process the run list' or 'Remove the Run menu from Start Menu'). They also configure services like the print spooler to 'Automatic (Delayed Start)' to spread the load. Performance monitoring with Windows Performance Analyzer shows that the VPN client's network initialization is the main culprit. The team then works with the vendor to optimize the startup sequence.
Another scenario involves a healthcare provider using legacy applications that require specific services to run as 'LocalSystem'. A misconfigured service fails to start because its dependency (e.g., SQL Server) is set to 'Manual'. The helpdesk receives complaints that the application won't launch. Using services.msc, the technician checks the service status and sees it is stopped. The 'Dependencies' tab shows that the SQL Server service is not running. Starting it resolves the issue. To prevent recurrence, the technician sets the SQL Server service to 'Automatic'.
In a security incident, a user reports strange pop-ups. The security analyst runs Autoruns and finds an unknown entry in HKLM\...\Run pointing to a suspicious executable in %TEMP%. The entry is disabled, and the file is submitted for analysis. The analyst also checks scheduled tasks and finds a task set to run at logon that downloads additional payloads. This highlights the importance of regularly auditing startup locations, especially after a suspected compromise.
Performance considerations: On systems with SSDs, boot times are less impacted by disk I/O, but CPU and network initialization still matter. In virtual desktop infrastructure (VDI), startup items can cause 'boot storms' when many VMs start simultaneously. Administrators often use 'Automatic (Delayed Start)' and disable non-essential services to mitigate this.
The 220-1102 exam tests startup items and services under Objective 1.2 (Operating Systems). Expect questions that require you to identify the correct tool for a given task, understand the behavior of different startup types, and troubleshoot boot issues. Specific areas:
- Tools: Know that msconfig (System Configuration) is used for selective startup and disabling services, but on Windows 8/10/11, the Startup tab redirects to Task Manager. The Services console (services.msc) is for managing services. Autoruns (Sysinternals) is the most comprehensive for viewing all startup locations.
- Common Wrong Answers:
1. 'Use Task Manager to disable a service' – Task Manager only shows startup programs, not services. Services are managed via services.msc.
2. 'The RunOnce key runs every boot' – RunOnce runs only once and then the entry is deleted.
3. 'Disabling a service in msconfig permanently removes it' – msconfig only disables it for the current boot configuration; it can be re-enabled.
4. 'All startup items are in the Startup folder' – Many are in Run keys, scheduled tasks, etc.
- Specific Numbers/Values:
Default delay for 'Automatic (Delayed Start)' is 2 minutes.
Startup types: 0 (boot), 1 (system), 2 (auto), 3 (manual), 4 (disabled).
Registry paths: HKCU\...\Run and HKLM\...\Run.
Edge Cases:
If a service fails to start and recovery options are not set, it remains stopped.
Group Policy can override local startup settings.
In Safe Mode, only essential drivers and services load; startup items in Run keys are ignored.
Elimination Strategy: If the question asks about managing a background process that starts before logon, the answer must involve services.msc or sc command. If it's about a user-visible program that starts after logon, think Task Manager or msconfig.
Startup items can be configured via Startup folder, registry Run/RunOnce keys, Group Policy, and scheduled tasks.
Services are managed by the Service Control Manager and have startup types: Automatic, Automatic (Delayed Start), Manual, Disabled.
The default delay for Automatic (Delayed Start) services is 2 minutes.
Task Manager's Startup tab only shows programs from Run keys and Startup folder; it does not show services.
msconfig (System Configuration) is used for selective startup and disabling services temporarily; on Windows 8+ it redirects to Task Manager for startup items.
Autoruns (Sysinternals) is the most comprehensive tool to view all startup locations.
Services can start before user logon, while startup programs start after logon.
Safe Mode loads only essential services and drivers; startup items are not processed.
Group Policy can override local startup settings in domain environments.
Regular review of startup items is critical for performance and security.
These come up on the exam all the time. Here's how to tell them apart.
Startup Folder
Located in file system (per-user: %APPDATA%\...\Startup; common: %ProgramData%\...\Startup)
Items are shortcuts (.lnk) or executables
Easy for users to add/remove by dragging shortcuts
Visible in Start Menu under 'Startup' folder
Less commonly used by malware due to visibility
Registry Run Keys
Located in registry (HKCU\...\Run and HKLM\...\Run)
Items are REG_SZ or REG_EXPAND_SZ values with path to executable
Requires registry editing to modify
Not visible in Start Menu without tools
Commonly used by malware for persistence
Mistake
The Startup folder in the Start menu is the only place Windows checks for startup programs.
Correct
Windows checks multiple locations: registry Run keys, RunOnce, Group Policy, scheduled tasks, and the Startup folder. The Startup folder is just one of many.
Mistake
Disabling a startup program in Task Manager permanently removes it.
Correct
Disabling in Task Manager only prevents it from starting; the entry remains in the registry or folder and can be re-enabled. It does not delete the file or registry key.
Mistake
Services with 'Automatic' start type always start immediately at boot.
Correct
'Automatic' services start during boot, but 'Automatic (Delayed Start)' services start about 2 minutes after the last automatic service. Also, services may be delayed due to dependencies.
Mistake
msconfig can be used to disable any startup program or service permanently.
Correct
msconfig changes are temporary for troubleshooting; it modifies the boot configuration to selectively disable items. Permanent disabling should be done via Task Manager, services.msc, or registry.
Mistake
All startup items appear in Task Manager's Startup tab.
Correct
Task Manager's Startup tab only shows programs launched from the registry Run keys and Startup folder. It does not show services, scheduled tasks, or Group Policy scripts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Open Task Manager (Ctrl+Shift+Esc), go to the Startup tab, right-click the program, and select Disable. This prevents it from running at next logon. The entry remains so you can re-enable it later. For more advanced control, use msconfig or Autoruns.
A service is a background process that runs independently of user sessions, often starting before logon, managed by the Service Control Manager. A startup program is a user-mode application that starts after logon, typically visible in the taskbar or system tray. Services are managed via services.msc, startup programs via Task Manager.
Open services.msc, find the service, right-click and select Properties. On the General tab, change Startup type to Disabled, click Apply, then OK. Alternatively, use the command: `sc config ServiceName start= disabled` (note the space after 'start=').
RunOnce keys cause a program to run once at next logon (or boot) and then the entry is automatically deleted. It is often used by installers to run configuration tasks after setup. The keys are located at HKCU\...\RunOnce and HKLM\...\RunOnce.
Use Microsoft Sysinternals Autoruns. It shows every location where a program can auto-start, including registry Run keys, Startup folders, services, scheduled tasks, drivers, and more. Download from Microsoft's website and run as administrator.
Antivirus often installs as a service with Automatic startup type, so it starts during boot before user logon. This ensures protection is active early. You can verify in services.msc – look for the antivirus service with Startup Type 'Automatic'.
Each startup program adds to the time before the desktop becomes responsive. High-impact items (e.g., those performing network or disk I/O) can add 1-3 seconds each. With many such items, boot time can increase from 30 seconds to several minutes. Disabling unnecessary ones improves performance.
You've just covered Windows Startup Items and Services — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?