Random Apps Start up at Restart

Have you had a look at the statup tab in task manager.

But also a not so new feature of Windows 10:
https://www.tenforums.com/tutorials/138685-turn-off-automatically-restart-apps-after-sign-windows-10-a.html

Download a copy of Microsoft Autoruns and review what it reports as running at startup/login.  There is a surprising amount of "stuff" in most systems.

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Bembi:  The tenforums article was pretty interesting!  But no solution there.  In some cases, the settings of interest weren't even present although the Windows version met the requirement for it.  
Restart apps after signing in was missing on the start/power menu.

Dr. Klahn:  Autoruns didn't reveal the ncpa.cpl item...

So, it's still a mystery.

Accounts - Sign-in options ??
From an actual built...



or

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Reg DWORD RestartApps 0 or 1

You may also in the policiy hive, possibly ist set by a GPO.

Bembi:  Here is one version from the target computer OS Build 19042.1052.  It's on a domain and subject to GPOs which I control and know almost entirely.


Here is another from OS Build 19043.1110 in a WORKGROUP:

Select allOpen in new window

So, this last one has a 3rd entry that the first one lacks.

• Perhaps update Windows further
• What do Event Viewer logs  sections showcase pertaining to the time of this you last saw any error codes, or perhaps try ProcMon or Process Explorer to isolate the source of it if it and capture events happening
• Maybe try running from an elevated command prompt:  sfc /scannow to see if it finds any errors

Yes sure , which each built you may have new features or others are gone.
I was just asking for the settings. If these are the affected machines, we can exclude this option.

I just made even the experience yesterday that Win 10 not neccessarily shows all settings if they are set via Policy.
So, even a Policy is set, the option is avalablöe and can be changed but doesn't has an effect or is reset.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Reg DWORD RestartApps 0 or 1

and
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon

may be just worth to check.  

I'm in the midst of updating the OS version to 21H1.
We'll see if that changes anything.
In the process, I see that the program launch happens even when I log back in after a timeout.
As I recall, we have a GPO that forces a logoff after so much time of inactivity.  
I don't know that I can easily tell the difference between a passworded screen saver logon and a logoff/logon.  I should think that would be easy but I've not tried to see.
But, this tracks with other User accounts not having this issue.

The sceen save lock is not the same, here it was usual, that application stay open.
For a real logout is was definitely the default behaviour that all applications are closed until MS introduced this new feature. Admins used this to free up application, i.e. for updates.
As Microsoft is sometimes a bit far away from the real practise, its possible that the changed the default behaviour again.
Even if registry keys are not present, windows uses a default value.
This may also explain why not all users have this issue, depending from the question from which built they updated to a newer built. or which built they currently use. 

So interesting what happens after the update.  

OK.. I have it at 21H1 now.

Even if registry keys are not present, windows uses a default value.

OK.  So the "value" has to reside somewhere, eh?  I wouldn't know where to look.

The new version hasn't changed the behavior.

I posted the registry keys above..

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
look for Reg DWORD RestartApps 0 or 1

and
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon  

and for any case also
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon  

Definitely, try what Bembi suggested above first, examine the registry carefully.

Other thoughts:

Can you try AutoRuns? Or another tool to examine the startup further for investigating and scanning startup items. Or capture events with ProcMon to find other potential areas:

• https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
• https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

• Maybe the behavior is tied to a Shell Extension:

https://www.nirsoft.net/utils/shexview.html

• Is Fast startup enabled or disabled? And is there a difference when switched off?

• Maybe a fresh user profile won't encounter this issue when you test as a last resort, or perhaps try  sfc /scannow from an elevated command prompt as admin to see if it finds any errors.

• Did you run a full antivirus scan on your station also? I doubt it's malware or virus activity, but always a good idea to double-check when you see odd behavior.

• Do you see any error codes or anything else in Event Viewer file logs?

 

Bembi:  Yes, I looked at all those registry keys to no avail...

re: This may also explain why not all users have this issue, depending from the question from which built they updated to a newer built. or which built they currently use. 

There is only one machine with various Users here.... so the builds and build history are the same.  Or, did I misunderstand?

When you said: "Even if registry keys are not present, windows uses a default value."  I didn't know where to look for those default values.

Jazz Kaur:
Well I've done all those things and nothing seems to have changed.  
But, it turns out that there *are* interesting errors.
A script launched by GPO included a servername which had changed....so that threw errors

> When you said: "Even if registry keys are not present, windows uses a default value."  I didn't know where to look for those default values.
This means, that the default value is handled by the OS.
You can change the behaviour by creating the value, but if the value is not present, the OS takes a defualt value.

Interesting would be what happens, ist you set manually
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Reg DWORD RestartApps = 0 

Bembi:  Thank you!  Well I'd already had set that registry item as you suggested.....
Jazz Kaur:  I tried them all.  Nothing jumps out that's obvious to me!  :-)
The fast startup setting didn't change it.

Mmh, sounds curious,
Jazz gave you the links to all the other tools.
Means sysinternals shows everything what may be conneted to autostart locations...
Due to this I would exclude all such sources.

If you can identify the file for the process (you said i.e. ncpa.cpl)
Have you tried to search the registry for that file? I mean, it will be there, but should not in the context of an automatic startup.
Also what I have in my mind is the MS technology preview program. Was it enabled on such machines?   

Bembi:  No MS technology preview program....
Good idea re:searching the registry.  I hadn't done that yet.
ncpa.cpl, amongst many others is listed in both Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Control Panel\don't load
... and that's it...

So, just to clarify...
If you boot the machine...
ncpa.cpl comes up if it was open before...
or it comes up intepended if it was open or not?

At least my imagination is, that everything what loads should be written somewhere. So windows has to remember something and there are not so much places, where they can be stored...
registry, we didn't find anything.
Startup options (sysinternals) didn't show anything.
So, left over....
- a batch file (bat, vbs, ps1 ot whatever)
- a policy / startup script (can be found in the registry)
--> but they have also be connected to startup items...
- An AD startup script (this is the only one which doesn't leave settings on the client)
- task manager job...
- any other internal function driven by a registry key (sometimes the options are not written in clear text into the registry).
- for win 10 I can have also some apps in my mind, which are doing some unusual things. 

I tried the old trick of "do the opposite":
I added ncpa.cpl to the start at logon list.
It then opened at logon, but only one instance as before.
Then I disabled the added entry in the startup list.
It's still starting up at logon....
This is obviously not the end of the world but figuring things out is always useful.

I almost always close the window just because it's in the way.
So, no, it wasn't running each time there's been a restart.

If it wasn't running before a reboot, it can not have anything to do with the Win 10 feature from my ealier post.
This feature should just recreate the desktop as it looked before.
So if a single application starts independend from the fact that is was opened before or not, I would rather search the issue in the direction of statup scripts, policies, AD logon scripts etc.
As the content of such scripts is not directly searchable, possibly not easy to find, but at least connected to tha fact, that a startup script exists.

Have you checked if it is connected to the user or machine? What happens if a different user logs in? 
 

Vice versa, what happens, if a user, where is happens, logons on a different machine?

Bembi:  
Yes, as I mentioned, other users don't have this issue on this computer (or others).
The same user, on other computers, doesn't have this issue.
Just for context, in this domain, we have over 60 computers and 30 users.
I "touch" many of those computers AND logon to them in various ways, including THIS user and others with the issue on THIS one computer with this ONE user.

Can you describe the window a bit further that you're seeing what does it looks like a cmd window flash with some details or a particular message or bits of a message perhaps you catch?

The only thing I can think of as a last resort is to start fresh with a  new user profile on the station and migrate your data.

Jazz Kaur:  Good idea if I knew how to do it gracefully.  But then that would be a "fix" and I'm more interested in understanding this.  I'd not know what had been fixed.  So, yes, as you suggest: a last resort.

I guess, I never would have got an IT Expert, if I always would have choosen the fast path...
So, reinstalling something is very seldom for me.
I had the feeling that your question went into the direction to find the reason rather than to find a fast solution.

@Jazz, your "last resort" is absolute correct..., but it is the fast path :-)
According your other question, it is (lately) ncpa.cpl, so network connections.

Nevertheless there is always a reason why something happens, so the question is only, how much effort you want to put into a topic. And most of the solutions are simple, as far a you have found them...

So, to dig again into the topic...
What makes me a bit wondering is your descriptiption, that it happens only on one machine and only with one user account. And the negative test fails, it doesn't happen on other systems with the same user, nor with another user on the affected system.
So has to be a setting which happens in the user context and is limited to the local machine...
- local policies...
- task manager

Have you checked the policy result set? As it combines local policies with GPOs.
Also sheduled task can be triggered by logon events....

You said before
> In the process, I see that the program launch happens even when I log back in after a timeout.  
Does it happen always, when you relogon to this machine?
This would at least confirm, that is is triggered by the logon event.

Bembi:  Thanks!  Yes, I see the program launch when I log back in after a timeout.  I'm doing this remotely but the local timeout is shorter than any remote timeout.

I ran RSOP under this Standard User and found two GPO settings applied:
Password protect the screen saver
Screen saver timeout
They are supposed to be there (and should be) except for a few special computers that we don't want to log out.

I've looked at Task Manager startup and see nothing interesting in the short list of Enabled items.
Just to see, I disabled everything that can be disabled - leaving 4 items.
No change in doing that....

Jazz Kaur and Bembi:  Thank you both!

Jazz asked:

 "Yes, I see the program launch "

Are you seeing different program names each time or one, in particular, remerge each time? Are these W10-based apps or Microsoft Store popping up and windows or third-party program or a mix of apps\windows at random (both) overall?

No. W10:yes, Store:no, 3rdParty:no.  
If you run ncpa.cpl the result is always "Network Connections".  That's what I see consistently.
I only know how to launch it by running ncpa.cpl or going through Control Panel with mouse clicks.  The result in doing either one is always the same.  

I'm going to forego answering the other questions as we've found the problem!
1) There *was* a scheduled task set to run at startup.  It would run a .bat file in C:\Program Files\Npca:
CheckStatus.bat
There was just this one task set to run at startup.  I must say, finding it was most unexpected.
The .bat file was too complicated to quickly figure out.
2) I immediately suspected Wireshark w/ npcap. [which is NOT ncpa.cpl nor "ncpap" that's just a coincidence I believe]
3) First, I confirmed that Network Connections did not start using my admin account.  
4) Then, I removed Wireshark AND npcap but noticed an OEM NPCAP install which I left alone.
5) Booted to my Standard User "fred" - Network Connections opened again.
6) Checked the installs and OEM NPCAP was now gone.
7) Logged off and back on.  Network Connections did not open this time.
8) Rebooted and logged on Standard User "fred": Network Connections did not open this time.
So, the problem is solved it appears!!
Then, I reinstalled Wireshark 3.4.2 64-bit with npcap 1.00 from my download folder
Restarted the computer.
The problem didn't reappear.
Also, I believe this version of npcap installed with Wireshark is different than what I'd had; the list of installs shows NPCAP and not OEM NPCAP.
I believe the latter was installed with PRTG but I'm not going to test that idea right now.....
Also, I may well have renamed some network connections - which the .bat file may be sensitive to.

Thanks for sticking with this!!

Awesome! I am glad this one got isolated! 

Hi, perfect....
So, if you are interested in npcap OEM, than you may read this here...
https://nmap.org/npcap/oem/redist.html

npcap is needed by wireshark and bundled into the setup ( the free version).
The OEM version is a commercial variant....

Bembi:  Yes.  npcap was originally installed with Wireshark.  Then I installed a recent version of PRTG which brings OEM NPCAP with it.  I'll be doing that again one of these days so we'll see.  This looks like a bug in the .bat file they install that's scheduled to run at startup.
I sure didn't expect that scheduled task!  Good of you to suggest.

I finally found the cause but not the reason!
It started happening on another computer and the app opening at startup was a different one.
The first computer was opening ncpa.cpl.
The second computer began opening Event Viewer as Administrator so was asking for admin credentials first.
Each of these had a desktop shortcut icon.
I tend to use lots of desktop icons so these culprits are only examples of what could have been, but yet were unique in this startup behavior.

Deleting just those particular desktop icons solved the "problem".
WHY?  BUT WHY?  ARGHHH!!  Ha.  Really no need to satisfy my curiosity.....

New observation:
It seems that the app that starts at boot not only has a desktop shortcut icon but ALSO the location of the icon on the desktop is:
One over from the left column of icons and one down from the top row of icons.
So, if the icon locations were numbered like Excel cells, it would be in location B2.
- Removing that one shortcut icon seems to fix the problem....
- Sliding another shortcut icon into that position, causes *that one* to start shortly after logon.
- Logging on as another user doesn't seem to have this problem - even with a shortcut icon at "B2".
Still don't know why - but this might suggest something.