Use Msconfig to log which drivers get loaded during system boot

Nothing really beats the excellent Autoruns when it comes to analyzing the files that get loaded during a system's boot process. For some users, Autoruns with its 18 different tabs may look like overkill when it comes to that, and new users will certainly spend some time using the program before they really understand how they can utilize the program.

The system tool Msconfig on the other hand is different. First because it is very limited in comparison to Autoruns when it comes to functionality, and second because it is an internal tool that ships with Windows.

One of the things that Windows users can use Msconfig for is to log which drivers get loaded during system boot. The feature is disabled by default and needs to be activated first. Before I explain how this is done, I should probably first answer why someone would want to use Msconfig and not a program like Autoruns for that. There is not really a reason for using Msconfig if you also have access to Autoruns. If Autoruns is not on the PC yet and if you do not have an Internet connection to download it, or are not permitted to use third party software, then Msconfig may be the alternative that you may want to use.

Press Windows-r to bring up the run box in Windows, enter msconfig.exe and hit the return key to load the interface. Switch to the boot tab here and locate the boot log parameter here.

When you check the boot log box and hit apply or ok, you will receive a prompt that you can use to restart the PC right now or at a later time. No matter what you select, the boot process will be logged the next time the PC is started.

The protocol is saved in the ntbtlog.txt file in the Windows directory, which usually is located in c:\Windows\. Just open it in a text editor to see all drivers that get loaded.

Most of the drivers are found in the System32\drivers folder, and it is often a good idea to look at drivers not located here when you start your analysis. The analysis may help you find faulty drivers, malicious drivers, and drivers used by devices or programs that you may not be using anymore.

I'd suggest you save the data into a different location for safe keeping, even though additional log entries are usually added to the existing log.

Keep in mind that Windows will log each boot process from that moment on until you uncheck the boot log option again in the Msconfig program.

Advertisement