Windows 11 loads many drivers and startup components before the WinLogon process starts. These early-loading drivers can slow boot times, cause system instability, or hide malware that activates before security software can detect it. The built-in tools like Task Manager and MSConfig do not show these pre-WinLogon items. Autoruns, a free utility from Microsoft Sysinternals, provides a complete view of every driver and process that runs before the user logs on. This article explains how to use Autoruns to inspect, disable, and manage drivers loaded before WinLogon on Windows 11.
Key Takeaways: Auditing Pre-WinLogon Drivers on Windows 11
- Autoruns > Drivers tab > Logon column: Filters all drivers that load before the WinLogon process, enabling targeted audit of early boot components.
- Uncheck a driver entry in Autoruns: Disables the driver from loading without permanently deleting it, allowing safe testing of boot stability.
- Autoruns > File > Save As .arn: Exports the full driver list to a text file for offline analysis, documentation, or comparison with a known-good baseline.
Understanding Pre-WinLogon Drivers and Autoruns
Windows 11 boots in stages. The kernel loads, then the Session Manager (smss.exe) starts, followed by the Windows subsystem and the WinLogon process. Drivers that load during these early stages are classified as boot-start drivers or system-start drivers. They are essential for disk access, file system operations, and hardware abstraction. However, third-party software such as antivirus tools, disk encryption utilities, and hardware monitoring programs also add drivers that start before WinLogon.
Autoruns is a portable executable that does not require installation. It scans the Windows Registry, file system, and scheduled tasks to list every autostarting component. The tool organizes entries into tabs: Everything, Logon, Explorer, Internet Explorer, Scheduled Tasks, Services, Drivers, Codecs, Boot Execute, Image Hijacks, AppInit, KnownDLLs, Winlogon, Winsock, LSA Providers, and Sidebar Gadgets. The Drivers tab shows kernel-mode drivers. The Logon column within that tab indicates when each driver loads relative to the WinLogon process.
What the Logon Column Means
The Logon column in Autoruns displays a status for each driver entry:
- Blank: The driver loads before WinLogon. These are the focus of this audit.
- WinLogon: The driver loads during or after WinLogon starts.
- Not loaded: The driver is registered but not currently active.
Drivers with a blank Logon column are the ones that can impact boot speed and security. Autoruns does not modify these drivers; it only reads their configuration. To disable a driver, you uncheck its checkbox in the Drivers tab.
Steps to Audit Drivers Loaded Before WinLogon
The following steps guide you through downloading Autoruns, filtering for pre-WinLogon drivers, and analyzing or disabling specific entries.
- Download Autoruns from Microsoft Sysinternals
Open a browser and go to the official Microsoft Sysinternals page for Autoruns at https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns. Click the Download Autoruns and Autorunsc link. Save the ZIP file to a folder such as C:\Tools. Right-click the ZIP file and select Extract All. Choose a destination folder and click Extract. - Run Autoruns as Administrator
Navigate to the extracted folder. Right-click Autoruns64.exe and select Run as administrator. If prompted by User Account Control, click Yes. Autoruns scans the system and displays all autostart entries. This scan may take 10 to 30 seconds depending on the number of installed drivers and services. - Switch to the Drivers Tab
In the Autoruns window, click the Drivers tab. This tab lists every kernel-mode driver that is configured to start automatically. The columns show: Driver Name, Description, Image Path, Publisher, Logon, and Entry. The list is sorted alphabetically by default. - Filter for Pre-WinLogon Drivers
Look at the Logon column. Click the column header to sort by Logon status. Scroll to the rows where the Logon column is blank. These are the drivers that load before WinLogon. Alternatively, use the Filter option in the Options menu. Click Options > Filter Options. In the dialog, check Hide Microsoft Entries and Hide Windows Entries. This hides drivers signed by Microsoft, leaving only third-party drivers. Click OK. Now the list shows only non-Microsoft drivers, and you can focus on those with a blank Logon column. - Analyze Each Pre-WinLogon Driver
For each driver with a blank Logon column, review the following details:
– Publisher: Verify the publisher is a known company. Unknown or suspicious publishers may indicate malware.
– Image Path: The full file path to the driver .sys file. Right-click the entry and select Properties to see the file version and digital signature details.
– Description: A brief description of what the driver does. If the description is generic or missing, investigate further.
– Entry: The Registry key or folder where the driver is registered. Common locations include HKLM\SYSTEM\CurrentControlSet\Services. - Disable a Suspicious or Unnecessary Driver
To prevent a driver from loading before WinLogon, uncheck the checkbox to the left of the driver name. A confirmation dialog asks if you want to proceed. Click Yes. The change takes effect immediately in the Registry. The driver will not load on the next boot. To re-enable it, check the box again. Do not disable drivers for essential hardware such as storage controllers or file system drivers unless you are certain of the consequences. - Export the Driver List for Documentation
Click File > Save or press Ctrl+S. Choose a location and file name. The default format is .arn (Autoruns data file). To export as a plain text file, select Text (txt) from the Save as type dropdown. This text file lists all drivers with their properties, including the Logon status. You can compare this file with a baseline taken after a clean Windows 11 installation to spot changes. - Reboot and Verify Boot Performance
After disabling any drivers, restart Windows 11. Monitor the boot time and check for errors in Event Viewer. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter. Go to Windows Logs > System. Look for events with Source Service Control Manager or Driver that indicate a driver failed to load. If a critical driver was disabled, the system may fail to boot. In that case, boot into Safe Mode, run Autoruns as administrator, and re-enable the driver.
Common Issues When Auditing Pre-WinLogon Drivers
Autoruns Does Not Show Any Drivers in the Drivers Tab
This usually happens when Autoruns is not running as administrator. Close Autoruns, right-click the executable again, and select Run as administrator. The Drivers tab requires elevated privileges to read the Registry and driver store.
Disabling a Driver Causes Windows 11 to Fail to Boot
If the system becomes unbootable after disabling a driver, boot into Safe Mode. Press the power button and hold the Shift key while clicking Restart. Go to Troubleshoot > Advanced options > Startup Settings > Restart. Press 4 or F4 to enter Safe Mode. In Safe Mode, run Autoruns as administrator. Find the disabled driver (its checkbox is unchecked) and check it again. Restart normally.
Autoruns Shows Multiple Drivers with the Same Name but Different Paths
This indicates duplicate entries in the Registry. One entry may be from an old software installation that was not fully removed. Compare the Image Path column. The driver file may still exist on disk even if the software is uninstalled. Disable the duplicate entry by unchecking it. If the driver is not needed, you can delete the Registry key manually using Regedit. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\[DriverName] and delete the key. Export the key as a backup before deletion.
Autoruns Drivers Tab vs Device Manager: Driver Audit Comparison
| Item | Autoruns Drivers Tab | Device Manager |
|---|---|---|
| Scope | All kernel-mode drivers configured to start automatically, including non-PnP drivers | Only Plug and Play drivers for detected hardware devices |
| Pre-WinLogon visibility | Yes, via the Logon column (blank = before WinLogon) | No, Device Manager does not indicate load timing |
| Disable method | Uncheck the checkbox in Autoruns | Right-click device > Disable device |
| Registry view | Shows the exact Registry key path for each driver | Does not show Registry location |
| Export capability | Save as .arn or .txt file with full driver details | Export as .txt via command line only, limited information |
Autoruns provides a more comprehensive view for auditing drivers that load before WinLogon. Device Manager is better suited for troubleshooting hardware-specific driver issues after the system has booted.
The Autoruns Drivers tab is the most effective tool for auditing drivers loaded before WinLogon on Windows 11. You can now identify, disable, and document these early-loading drivers using the steps above. For ongoing monitoring, save a baseline export after a clean system state and compare it periodically. A useful advanced practice is to run Autoruns with the Verify code signatures option enabled under Options > Scan Options. This checks each driver file against its digital signature, helping you spot unsigned or tampered drivers that load before the login screen appears.