Autoruns, part of the Sysinternals suite, is a powerful tool that provides an in-depth look at all the programs that run automatically on your system. This includes everything from startup applications to background processes, services, and drivers. But beyond its diagnostic capabilities, Autoruns also serves as an essential tool for understanding and managing system persistence—a crucial aspect in both system optimization and cybersecurity.
Downloading Autoruns is the first step toward gaining control over your system’s startup behavior. Simply head over to the official Sysinternals website, download the tool, and start exploring.
Once you’ve downloaded Autoruns, you have several execution options to choose from:
Graphical Interface: You can run the tool with a user-friendly GUI using autoruns.exe or its 64-bit version, autoruns64.exe. This option is perfect for those who prefer visual navigation and want to easily browse through various startup entries.
Command-Line Version: For advanced users or those who prefer scripting, Autoruns also offers a command-line version, autorunsc.exe and its 64-bit counterpart, autorunsc64.exe. This is ideal for automating tasks, creating scripts for batch analysis, or integrating Autoruns functionality into other tools.
Both options provide comprehensive control over your system’s startup entries, so you can choose the one that best suits your needs.
In today’s post, we’ll be using autorunsc.exe through the command line, as it often becomes necessary to gather evidence remotely. Command-line usage not only allows for faster execution but also makes it easier to automate tasks and collect data across multiple systems.
To get started, open the Command Prompt or PowerShell and use autorunsc.exe. This command-line version gives you flexibility and power to analyze systems remotely or over the network. In the screenshot below, you’ll see the different options that the tool provides.
autorunsc.exe -a
This will display a list of available commands and options, helping you customize the tool’s output according to your needs, whether you want to analyze specific sections, export data to a file, or even integrate it into a larger script for automation.
One particularly interesting command is:
autorunsc -a * -s -h -c -vr > output.csv
This command returns all autostart entries, verifies the digital signatures of the files, displays their hashes, and saves the results to a CSV file. It’s a powerful way to gather extensive information about your system’s startup programs, allowing you to analyze them further or share the findings with your team.
Additionally, autorunsc has the ability to query VirusTotal for file reputations based on the collected hashes. This is especially useful for quickly checking if any of the startup files are flagged as malicious by the global security community. By integrating VirusTotal into your workflow, you can easily cross-reference file hashes and get a better understanding of potential threats.
First of all, we’ll run the command mentioned earlier, and keep in mind that this process can take some time depending on the system’s complexity and the number of autostart entries.
Since autorunsc.exe will be verifying digital signatures, generating file hashes, and querying VirusTotal, the command may take longer to complete on machines with a lot of startup entries. Be patient while the tool performs its analysis, and once it finishes, we’ll have a comprehensive CSV file ready for review.
After running the command, we get a detailed CSV file with the results. Here’s a quick interpretation of what we see in the screenshot:
HKLM\System\CurrentControlSet\Services, which indicates they are associated with Windows system services.VirusTotal Detection: The “VT Detection” column reveals that most files have a clean score of 0/77 in VirusTotal, meaning they haven’t been flagged as malicious by any of the 77 antivirus engines. However, Google-related entries have a 1/77 score, which means one engine has flagged them. While a single detection doesn’t necessarily imply a threat, it’s something to investigate further.
Google Services: The highlighted entries correspond to Google Update (GoogleUpdateTaskMachineUA) and the Google Elevation Service. Both are signed by Google LLC, but the 1/77 VirusTotal detection score suggests one antivirus flagged them, even though this could be a false positive.
1/77 VirusTotal detection for Google services is worth looking into, as it could be a false positive. Legitimate services from Microsoft and Google dominate the autostart entries, ensuring proper system functionality such as automatic updates and key system services.The tool we’ve discussed allows us to identify processes, services, drivers, and anything that runs when the computer starts up. It’s often important to check whether the executables are signed, among other details.
This analysis shows that the system appears clean and free from any immediate threats.
Thank you for following along with this analysis! In the future, we’ll dive deeper into these types of artifacts and explore how we can collect them without relying on specific tools like Autoruns.
Stay tuned for more insights and practical techniques!