I ran a full security audit on my Windows PC and found issues I never expected

The green checkmark on Windows Defender is often a reassuring sign to most people that their computer is safe. After all, Windows Security is packed with so many security features. However, realizing that most traditional antivirus programs only catch active threats changed how I consider system health. Forgotten services, orphaned registry keys, lingering startup entries, and permissive execution policies all accumulate over time, negatively impacting performance and security.

So, I decided to perform a full system security audit of my Windows PC. It revealed something a bit concerning: software that I no longer used remained active, listening, and retaining elevated permissions. It showed how my computer evolves, and brought clarity on how to manage and tighten security.

Startup persistence showed me what Windows never forgets

Autoruns exposed entry points Task Manager doesn’t acknowledge

Startup persistence simply shows you the software that tries to survive reboots. Windows comes with the native Task Manager. While robust, it only shows a fraction of entries that actually launch at boot. For this part of the audit, I turned to Autoruns from the Sysinternals Suite. It instantly revealed hundreds of registry locations and filesystem hooks. Windows uses them to start code silently. This tool is an excellent way of seeing what may be slowing down your PC.

Related video: 8 Ways To Spot If Your Keyboard Inputs Are Being Stolen (Housely)

Current Time 0:00

/

Duration 2:12

Housely

8 Ways To Spot If Your Keyboard Inputs Are Being Stolen

0

View on Watch

One of the first things I noticed was the "File not found" items highlighted in yellow. These were registry hooks that pointed to files I had deleted years ago. Even though they were not active, they show some residual registry entries and, in extreme cases, can be repurposed by malicious or other software. Your long-unused utilities can leave open doors that Windows considers safe, and the OS can silently trust these entries at each reboot.

Autoruns makes it easy to stabilize your system while removing unnecessary startup entries. But the main takeaway from this process was that a superficial glance at the Task Manager is not nearly enough for auditing registry-level autostart entries.

Services revealed how much software runs with permanent trust

Third-party services outlived the apps that created them

Windows services run continuously even when you are not logged in to your computer, and they sometimes run with SYSTEM privileges. I found numerous processes connected to software I thought I had deleted and hardware I no longer owned. To view running services, you may follow these steps:

1. Open the Run command by pressing Win + R.
2. Type "msconfig" and hit Enter.
3. Navigate to the Services tab.
4. (Optional) Check the Hide Microsoft services checkbox to see services connected with third-party tools.

An example was the Update Helper I found for a peripheral that I had not used in years. Even though this app was gone, this service kept listening for updates hourly. The worst part was that it had administrative privileges. On its own, the service wasn't harmful, but it ran continuously with elevated privileges and consumed system resources.

I also found services by opening Windows’ native Services app. Here, rather than removing services outright, I sometimes change their startup type to Manual, forcing them to only launch when they are genuinely needed. It also helps me reduce load and maintain system stability. This part of the audit showed me that installed services persist indefinitely until manually removed or changed.

Scheduled tasks mapped the activity I never actively approved

PowerShell made hidden triggers obvious

Windows scheduled tasks are a blind spot to most users, mainly because the Task Scheduler GUI is cumbersome. For this part of the audit, I got a clear, parsable list of what ran and when, generated with PowerShell. These are the steps I used:

1. Open PowerShell with admin rights.
2. Run the command below to see a list of tasks generated by third-party sources: Get-ScheduledTask | Where-Object {$_.State -ne "Disabled" -and $_.TaskPath -notlike "\Microsoft*"} | Select-Object TaskName, TaskPath, State | Format-Table -AutoSize
3. (Optional) Run the command below to see when a specific task last ran and what file triggered it: Get-ScheduledTask -TaskName "NAME_OF_TASK" | Get-ScheduledTaskInfo

Following these steps revealed several tasks created by browsers, telemetry tools, and game launchers. Many of them persist long after their software is closed. Some are triggered on logon, workstation unlock, or system idle, not needing active approval to execute. Even though they were not malware, they were all automated without my awareness. This audit provided clarity, helping me remove tasks that no longer had a purpose and clean up system activity.

Network listeners showed which apps expected to be reachable

Local ports told a story the firewall never highlighted

Certain applications on your computer are listening for traffic, and using netstat -abno helps map active ports to associated executables. When I did this, I found surprises among peripheral utilities and media apps. Here are the exact steps I used:

1. Open PowerShell with admin rights.
2. Run the command below to see which apps are currently listening for a connection: netstat -abno | findstr LISTENING
3. Look through the Local Address column for IPs like 127.0.0.1:XXXX or 0.0.0.0:XXXX. 127.0.0.1 (Localhost) shows that an app is listening for other software on your own PC, while 0.0.0.0 (Any IPv4) shows the app is listening for anything on your local network (increasing exposure if the service is unnecessary or outdated).
4. Use the command below to match the PID to a real app: Get-Process -Id 1234 | Select-Object ProcessName, Path, Description

I found some programs that opened local web servers, accessible only on localhost. These listeners expand the attack surface because, while not being externally exposed, other software on the PC could interact with them unexpectedly.

Closing unnecessary apps and reviewing Windows Defender Firewall rules helped me address this issue. I found inbound exceptions from old games and utilities and removed them to ensure that even if a legacy app launched, it wouldn’t bypass the firewall. This part of the audit was an indication that, even though they are subtle, listening ports are an important area of exposure.

Permissions exposed the long-term cost of convenience

Privilege and execution policies linger after installation

Authority was the final vector I audited. The problem with authority is that installers accumulate administrative privileges, and Windows rarely revokes them automatically. In my review, I was surprised to see that my PowerShell execution policy was set to Bypass. This must have been modified by third-party apps months earlier.

I also downloaded the ShellExView app to review shell extensions and found several entries for cloud storage that I no longer used—another persistent, elevated process that runs invisibly.

As a security measure, I reset execution policies to RemoteSigned and removed administrative flags from non-essential binaries. In all, my biggest takeaway was that, other than removing dangerous files, real security is about managing what software is trusted to run.

What this audit taught me about trust

The main thing I learned was that the green check mark from my native security is just half the security story. Knowing which software has authority is the second part.

I gained real control over my system by mapping startup entries, services, scheduled tasks, listeners, and execution policies. The deliberate, informed management helped me regain trust in my PC. Running this audit isn't a substitute for Windows Security and its several hidden features—it complements Windows' built-in protections.