Overview
Autoruns is a Sysinternals utility that provides the most comprehensive view of all programs configured to start automatically on Windows. It enumerates auto-start locations far beyond what the built-in msconfig tool covers, including Run registry keys, Explorer shell extensions, browser helper objects, Winlogon notifications, services, drivers, scheduled tasks, Winsock providers, WMI entries, print monitors, LSA providers, boot execute entries, image hijacks, AppInit DLLs, known DLLs, and many more. Autoruns examines over 100 auto-start locations, making it the definitive tool for persistence mechanism discovery.
For security professionals, Autoruns is essential for identifying malware persistence, rootkit installation, unwanted software, and unauthorized system modifications. The tool can verify digital signatures of auto-start entries, check against VirusTotal for known malicious hashes, compare snapshots to detect changes over time, and export results for offline analysis. The command-line version (autorunsc.exe) enables scripted collection across enterprise environments. Autoruns is frequently the first tool used in incident response for identifying how an attacker maintains access to a compromised system.
Installation
Download
# Download from Sysinternals
# https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
# Or via Sysinternals Live
\\live.sysinternals.com\tools\autoruns64.exe
\\live.sysinternals.com\tools\autorunsc64.exe
# Or via Chocolatey
choco install autoruns
# Or via winget
winget install --id Microsoft.Sysinternals.Autoruns
Files
| File | Description |
|---|
autoruns64.exe | GUI version (64-bit) |
autoruns.exe | GUI version (32-bit) |
autorunsc64.exe | Command-line version (64-bit) |
autorunsc.exe | Command-line version (32-bit) |
GUI Usage
Tab Categories
| Tab | Description |
|---|
| Everything | All auto-start entries combined |
| Logon | Run/RunOnce registry keys, Startup folder entries |
| Explorer | Shell extensions, browser helper objects, toolbar DLLs |
| Internet Explorer | IE add-ons, toolbars, browser extensions |
| Scheduled Tasks | Task Scheduler entries |
| Services | Windows services (auto-start and manual) |
| Drivers | Kernel and filesystem drivers |
| Codecs | Audio/video codecs |
| Boot Execute | Native images run during boot |
| Image Hijacks | IFEO debugger attachments, command processor AutoRun |
| AppInit | AppInit_DLLs entries |
| Known DLLs | Known DLLs overrides |
| Winlogon | Winlogon notification packages |
| Winsock Providers | LSP (Layered Service Provider) chains |
| Print Monitors | Print spooler monitors |
| LSA Providers | Local Security Authority providers |
| Network Providers | Network provider entries |
| WMI | WMI event subscriptions |
| Office | Microsoft Office add-ins |
| Sidebar Gadgets | Windows Sidebar gadgets |
Key GUI Features
# Options Menu
Options > Scan Options:
☑ Verify code signatures # Check Authenticode signatures
☑ Check VirusTotal.com # Submit hashes to VirusTotal
☑ Submit Unknown Images # Upload unknown files to VT
☑ Hide Microsoft Entries # Filter out signed MS entries
☑ Hide Windows Entries # Filter OS entries
☑ Hide VirusTotal Clean # Hide 0-detection entries
# Color coding:
# Pink/Red = No digital signature and entry points to non-standard location
# Yellow = File not found (entry exists but target is missing)
# Green = Verified Microsoft/trusted signature
# Normal = Third-party signed entry
Command-Line Usage
autorunsc.exe
| Command | Description |
|---|
autorunsc64.exe -a * | Show all auto-start entries |
autorunsc64.exe -a b | Show boot execute entries |
autorunsc64.exe -a l | Show logon entries |
autorunsc64.exe -a s | Show services |
autorunsc64.exe -a d | Show drivers |
autorunsc64.exe -a t | Show scheduled tasks |
autorunsc64.exe -a w | Show WMI entries |
autorunsc64.exe -v | Verify signatures |
autorunsc64.exe -vt | Submit to VirusTotal |
autorunsc64.exe -c | CSV output |
autorunsc64.exe -ct | Tab-delimited output |
autorunsc64.exe -h | Show file hashes |
autorunsc64.exe -m | Hide Microsoft entries |
autorunsc64.exe -s | Hide signed entries |
# Full enumeration with hashes and signatures
autorunsc64.exe -accepteula -a * -c -h -v -s > autoruns_output.csv
# Quick persistence check (non-Microsoft entries only)
autorunsc64.exe -accepteula -a * -m -c -h -v
# Services and drivers only
autorunsc64.exe -accepteula -a sd -c -h -v
# Logon items with VirusTotal check
autorunsc64.exe -accepteula -a l -c -h -v -vt
# Scheduled tasks with hashes
autorunsc64.exe -accepteula -a t -c -h
# WMI persistence
autorunsc64.exe -accepteula -a w -c
# Export for offline analysis
autorunsc64.exe -accepteula -a * -c -h -v -s > "C:\IR\%COMPUTERNAME%_autoruns.csv"
# Filter unsigned entries
autorunsc64.exe -accepteula -a * -c -h -v | findstr /i "not verified"
Category Flags
| Flag | Category |
|---|
b | Boot execute |
c | Codecs |
d | Drivers |
e | Explorer extensions |
g | Sidebar gadgets |
h | Image hijacks |
i | Internet Explorer |
k | Known DLLs |
l | Logon |
m | WMI |
n | Winsock/network providers |
o | Office add-ins |
p | Print monitors |
r | LSA providers |
s | Services |
t | Scheduled tasks |
w | Winlogon |
Configuration
Automated Collection Script
# collect_autoruns.ps1
$outputDir = "C:\IR\Autoruns"
$hostname = $env:COMPUTERNAME
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = "$outputDir\${hostname}_${timestamp}_autoruns.csv"
# Create output directory
New-Item -ItemType Directory -Force -Path $outputDir | Out-Null
# Collect all autoruns with hashes and signature verification
& autorunsc64.exe -accepteula -a * -c -h -v -s -nobanner > $outputFile
Write-Host "Autoruns collected: $outputFile"
Write-Host "Entries: $((Get-Content $outputFile | Measure-Object).Count - 1)"
Baseline Comparison
# Take baseline
autorunsc64.exe -accepteula -a * -c -h > "C:\Baselines\autoruns_baseline.csv"
# Take current snapshot
autorunsc64.exe -accepteula -a * -c -h > "C:\Baselines\autoruns_current.csv"
# Compare using PowerShell
$baseline = Import-Csv "C:\Baselines\autoruns_baseline.csv"
$current = Import-Csv "C:\Baselines\autoruns_current.csv"
# Find new entries
$new = Compare-Object $baseline $current -Property "Image Path","Entry" -PassThru |
Where-Object { $_.SideIndicator -eq "=>" }
if ($new) {
Write-Host "NEW auto-start entries detected:"
$new | Format-Table "Entry Location","Entry","Image Path" -AutoSize
}
# Find removed entries
$removed = Compare-Object $baseline $current -Property "Image Path","Entry" -PassThru |
Where-Object { $_.SideIndicator -eq "<=" }
if ($removed) {
Write-Host "REMOVED auto-start entries:"
$removed | Format-Table "Entry Location","Entry","Image Path" -AutoSize
}
Advanced Usage
Threat Hunting Queries
# Load autoruns CSV
$autoruns = Import-Csv "autoruns_output.csv"
# Find unsigned entries
$unsigned = $autoruns | Where-Object { $_.'Signer' -eq '' -or $_.'Signer' -eq '(Not verified)' }
$unsigned | Select-Object 'Entry Location','Entry','Image Path' | Format-Table
# Find entries in suspicious locations
$suspicious = $autoruns | Where-Object {
$_.'Image Path' -match '(\\Temp\\|\\AppData\\|\\Users\\Public\\|\\ProgramData\\)'
}
$suspicious | Format-Table 'Entry','Image Path','Signer'
# Find entries with VirusTotal detections
$detected = $autoruns | Where-Object { $_.'VirusTotal' -match '\d+/' -and $_.'VirusTotal' -notmatch '^0/' }
$detected | Select-Object 'Entry','Image Path','VirusTotal' | Format-Table
# Find recently added entries (modified in last 7 days)
$recent = $autoruns | Where-Object {
$_.'Time' -and (Get-Date $_.'Time') -gt (Get-Date).AddDays(-7)
}
$recent | Format-Table 'Entry Location','Entry','Image Path','Time'
Remote Collection
# Collect autoruns from remote systems
$computers = @("SERVER01", "SERVER02", "WORKSTATION01")
foreach ($computer in $computers) {
$session = New-PSSession -ComputerName $computer
Copy-Item "C:\Tools\autorunsc64.exe" -Destination "C:\Temp\" -ToSession $session
Invoke-Command -Session $session -ScriptBlock {
& C:\Temp\autorunsc64.exe -accepteula -a * -c -h -v -s -nobanner
} | Out-File "C:\IR\${computer}_autoruns.csv"
Remove-PSSession $session
}
Integration with SIEM
# Convert autoruns to JSON for SIEM ingestion
$autoruns = Import-Csv "autoruns_output.csv"
$autoruns | ForEach-Object {
$_ | Add-Member -NotePropertyName "Hostname" -NotePropertyValue $env:COMPUTERNAME
$_ | Add-Member -NotePropertyName "CollectionTime" -NotePropertyValue (Get-Date -Format o)
} | ConvertTo-Json | Out-File "autoruns.json"
# Send to Splunk HTTP Event Collector
$body = @{
event = (Import-Csv "autoruns_output.csv" | ConvertTo-Json)
sourcetype = "autoruns"
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://splunk:8088/services/collector" -Method Post -Body $body -Headers @{Authorization="Splunk your-token"}
Troubleshooting
| Issue | Solution |
|---|
| Access denied | Run as Administrator for full system enumeration |
| VirusTotal check slow | VT checks require internet; use -vt only when needed |
| Missing entries | Use -a * flag to enumerate all categories |
| CSV parsing issues | Use -ct (tab-delimited) if commas appear in paths |
| Entries showing as unsigned | Some legitimate entries lack Authenticode signatures; verify manually |
| High CPU during scan | Normal during initial enumeration; signature verification adds time |
| Remote collection fails | Ensure WinRM is enabled and firewall allows connections |
| Cannot disable entry | Some protected entries require editing registry directly |
