Autoruns

Master of Persistence Detection

Essential ToolBeginner Friendly

Comprehensive tool that finds all programs configured to auto-start on system boot or user login. Essential for detecting malware persistence mechanisms and system hardening.

Key Features

Comprehensive Scanning

  • 300+ autostart locations
  • Registry run keys analysis
  • Startup folder inspection
  • Service & driver enumeration

Security Analysis

  • VirusTotal integration
  • Digital signature verification
  • File location validation
  • Publisher trust analysis

Practical Usage Examples

GUI Version Setup

# Launch Autoruns with admin privileges
autoruns.exe
# Enable VirusTotal checking
Options → VirusTotal.com → Submit Unknown Images
# Hide Microsoft entries for better visibility
Options → Hide Microsoft Entries

Command Line Usage

# Export all autostart entries to CSV
autorunsc.exe -a * -s -h -c -vr > autoruns_report.csv
# Show only unsigned entries
autorunsc.exe -u -s -h -c
# Focus on specific autostart types
autorunsc.exe -a l -s -h -c # Logon entries only
autorunsc.exe -a s -s -h -c # Services only

Malware Hunting Workflow

1. Launch Autoruns as Administrator
2. Options → VirusTotal.com → Submit Unknown Images
3. Options → Hide Microsoft Entries
4. Look for entries highlighted in:
- Pink/Red: Unsigned executables
- Yellow: File not found (potential cleanup)
5. Sort by VirusTotal column for high scores
6. Right-click suspicious entries → Properties
7. Delete confirmed malicious entries

Security Indicators & Color Codes

Red/Pink Entries

Unsigned executables or files with invalid/missing signatures

Action: High priority investigation - verify legitimacy before allowing to run

Yellow Entries

File path exists in registry but actual file is missing from disk

Action: Potential malware cleanup - investigate what removed the file

High VirusTotal Scores

Entries flagged by multiple antivirus engines (score > 5/70)

Action: Immediate investigation and likely removal required

Suspicious Locations

Executables in unusual paths: Temp folders, user directories, system32 (non-Microsoft)

Examples: C:\Users\%user%\AppData\Temp\, C:\Temp\, C:\ProgramData\

Common Malware Persistence Mechanisms

Registry Run Keys

Most common persistence mechanism - entries automatically execute at logon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Startup Folder

Files and shortcuts in startup folders execute automatically
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Services

Malicious services can start automatically and run with system privileges
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\

Scheduled Tasks

Tasks scheduled to run at specific times or system events
Look for suspicious task names and unusual execution times

Quick Info

GUI File:autoruns.exe
CLI File:autorunsc.exe
Size:~1.2 MB
Requires Admin:Yes
Locations Scanned:300+

Download

Official DownloadSysinternals Live

Key Parameters

-a *All categories
-sVerify signatures
-hShow file hashes
-cCSV output
-vrVirusTotal check
-uUnsigned only

Related Tools

→ Process Explorer→ Sigcheck (Soon)→ Process Monitor→ AccessChk (Soon)

Pro Tips

  • 💡 Always enable VirusTotal integration
  • 💡 Hide Microsoft entries to focus on third-party
  • 💡 Export to CSV for offline analysis
  • 💡 Check file paths for unusual locations
  • 💡 Compare before/after system changes