Tool: AutoRuns

Autoruns is a powerful utility from Microsoft Sysinternals that provides an exhaustive overview of all applications and scripts configured to run automatically on a Windows system. This tool is invaluable for system administrators and security professionals for diagnosing performance issues and detecting malware. Autoruns scans and displays the entries in order of the process execution: from boot-up to user login, covering a wide range of autostart locations.

Key Features

• Extensive Autostart Location Scanning: Autoruns is more comprehensive than the built-in Windows tools like MSConfig or Task Manager. It scans over a dozen places where autostart commands can be hidden, including but not limited to:

  • Run and RunOnce registry keys

  • Startup folders

  • Windows Services

  • Drivers

  • Winlogon notifications

  • Scheduled tasks

  • Browser helper objects (BHOs), toolbars, and extensions for Internet Explorer, Chrome, and Firefox.

• Filtering and Search: Users can filter out Microsoft and Windows entries to focus on third-party applications, making it easier to spot potentially unwanted programs or malware. A search function allows for quick filtering of results based on keywords.

• Digital Signature Checks: Autoruns can verify digital signatures of auto-starting images to distinguish legitimate applications from potentially malicious ones. Unsigned or improperly signed files are flagged, drawing immediate attention.

• Hide Safe Entries: An option to hide verified Microsoft services reduces clutter and helps users concentrate on third-party applications that are more likely to be malicious.

• Command-line Version: Autoruns also includes Autorunsc, a command-line version that can be used for scripting or integration with other tools, enabling automated scans and reports.

How Autoruns Works

Autoruns operates by querying dozens of registry keys and folder paths where autostart commands can be stored, including:

• HKLM and HKCU Software\Microsoft\Windows\CurrentVersion\Run keys for application startup commands.

• The Start Menu\Programs\Startup folders for current user and all users.

• Services and drivers configured to start automatically.

• Scheduled tasks with triggers set at logon or system startup.

• Explorer shell extensions, browser helper objects, and other plugins that load with web browsers or the explorer process.

Using Autoruns for Malicious Activity Detection

• Malware and Persistence Mechanisms: Malware often relies on autostart mechanisms to ensure it runs every time the system starts. Autoruns can uncover these persistence mechanisms by showing every application configured to start automatically, including those hidden from the user.

• Analysis and Remediation: By identifying and examining suspicious or unknown entries, users can take steps to disable or remove unwanted applications. This is crucial in the process of malware removal and system clean-up.

• System Auditing: Regular scans with Autoruns can serve as part of a routine security audit, ensuring that only authorized applications are configured to run at startup.

Security Considerations

• Accurate Malware Identification: Users must exercise caution and conduct thorough research before deeming an autostart entry as malicious to avoid false positives.

• Risk of System Instability: Disabling or removing legitimate system processes or applications can lead to system instability or failure. It's recommended to have a system restore point or backup before making changes.

• Elevation of Privilege: Autoruns should be run with administrative privileges to ensure a complete scan of all locations, including those requiring elevated access to view or modify.