• 2/17/2017

Saving and comparing results

Autoruns results can be saved to disk in two different file formats: tab-delimited text, or a binary format that preserves all the data captured. The binary format can be loaded into Autoruns for viewing at a later time or on a different system, and it can be compared against another set of Autoruns results.

In both cases, the results are read-only: they can’t be used to roll back a system to an earlier state or configuration, and after they have been captured, you cannot add or remove options to modify the saved results. You can apply or remove the filters described in the “Hiding entries” section earlier in this chapter to control which entries Autoruns displays.

Saving as tab-delimited text

Click the Save button on the toolbar; in the Save dialog box, change the Save As Type to Text (*.txt), and specify a file in which to save the current results. The data displayed on the Everything tab is written to the file in five-column or six-column tab-delimited format, depending on whether the Check option is enabled. The rows identifying the ASEP locations (the gray-shaded rows in the Autoruns display) include the location in the first column, the location’s last-modification timestamp in the fifth column, and empty strings in the remaining columns. The rows identifying Autorun Entries that are enabled (the check boxes are selected) are written to the file prepended with a plus sign (+); those that are disabled are prepended with an X.

The text file can be imported into Microsoft Office Excel. You should specify the first column as Text instead of General so that the leading plus signs do not get interpreted as an instruction or other special character.

The tab-delimited format respects the selections on the Options menu. If Hide Empty Locations is not enabled, the file will include all ASEPs, including those that have no entries. If Hide Microsoft Entries, Hide Windows Entries, or Hide VirusTotal Clean Entries is selected, those entries will be omitted from the output. If Verify Code Signatures is selected, the Publisher column will include Verified or Not Verified, as appropriate. If Check is selected, the output adds a sixth column with the VirusTotal column’s results.

Note that Autoruns results saved in text format cannot be read back in to Autoruns.

See the section on AutorunsC later in this chapter for a scriptable way to capture Autoruns data to other text file formats.

Saving in binary (.arn) format

The Autoruns binary file format with its default .arn file extension is the Autoruns “native” file format.Click the Save icon on the toolbar, and specify a file in which to save the results, leaving the Save As Type option as Autoruns Data (*.arn). All information captured in the most recent scan is preserved, including signature verification and VirusTotal results, even for entries that are filtered from the display.

You can automate the capture of Autoruns data and save it to a .arn file with the –a command-line option. The following command captures the state of autostart entries on the system to outputfile.arn, using default Autoruns options:

Autoruns -a outputfile.arn

To add signature verification, include the –v option as shown in the following example. Make sure not to put it between the –a and the file name: the file name must immediately follow the –a parameter.

Autoruns -v -a outputfile.arn

Viewing and comparing saved results

To view the .arn file on the same or another system, choose Open from the File menu and select the saved file. When Autoruns starts, it creates a file association for .arn, so you can also open a .arn file simply by double-clicking it in Explorer. You can also open a saved file from the Autoruns command line by specifying the file path without any other switches:

Autoruns C:\Users\Mark\Desktop\outputfile.arn

To compare the results displayed in Autoruns—whether it’s a fresh capture or from a saved file—choose Compare from the File menu and select the saved file to compare the displayed results against. Autoruns shows only the entries that have changed between the two sets, with the ones that are present only in the original set highlighted in green, and entries that are only in the “compare” file highlighted in red. Because the content of the Publisher column depends on whether signature verification is enabled, you should compare only captures that have the same signature verification selection.