Home > Sample chapters

Autoruns

AutorunsC

AutorunsC is a console-mode version of Autoruns that outputs results to its standard output. It is designed primarily for use in scripts. Its purpose is data collection only: it cannot disable or delete any autostart entries.

The command-line options are listed in Table 4-1.6 They let you capture all autostarts or just specific categories, verify digital signatures, query VirusTotal, omit Microsoft entries, specify a user account for which to capture autostarts or capture all user accounts’ autostarts, and output results as comma-separated or tab-separated values (CSV) or as XML. If you don’t specify any options, AutorunsC outputs just the Logon entries without signature verification and in an indented list format designed for human reading. To capture other ASEPs, add the –a option followed by one or more letters indicating the ASEP categories of interest, or * to capture all ASEP categories.

TABLE 4-1 AutorunsC command-line options

Autostart types: [-a *|bcdeghiklmoprsw]

*

Shows all autostart entries

b

Shows boot execute entries

c

Shows codecs

d

Shows AppInit DLLs

e

Shows Explorer add-ons

g

Shows Sidebar gadgets (Windows Vista and Windows 7)

h

Shows image hijacks

i

Shows Internet Explorer add-ons

k

Shows known DLLs

l

Shows logon autostart entries (this is the default)

m

Shows WMI entries

Autostart types: [-a *|bcdeghiklmoprsw]

n

Shows Winsock protocol and network providers

o

Shows Office addins

p

Shows printer monitor DLLs

r

Shows LSA security providers

s

Shows services and non-disabled drivers

t

Shows scheduled tasks

w

Shows Winlogon entries

What to scan

user

Specifies the name of the user account for which autostart entries will be shown. Use DOMAIN\User format for domain accounts. Specify * to scan all user profiles. This option requires administrative rights.

–z systemroot userprofile

Scans an offline Windows system, specifying the file-system paths to the target system’s Windows directory and to the target user-profile directory.

File information

–h

Shows file hashes

–s

Verifies digital signatures

–u

If VirusTotal check is enabled, –u shows only files that are unknown by VirusTotal or that have non-zero detection.

If VirusTotal check is not enabled, –u shows only unsigned files.

–v[rs]

Queries VirusTotal for malware based on file hashes.

With “r” added, it opens the web browser to VirusTotal report for files with non-zero detection.

With “s” added, it uploads files that report as “unknown”—that is, not previously scanned by VirusTotal.

(Also, note the meaning of –u when used with the –v[rs] option.)

–vt

Accepts the VirusTotal terms of service (TOS) without opening the TOS webpage.

Output format

–c

Prints output as comma-separated values (CSV)

–ct

Prints output as tab-delimited values

–x

Prints output as XML

–m

Hides Microsoft entries. If used with –s, hides signed Microsoft entries.

–t

Shows timestamps in normalized UTC: YYYYMMDD-hhmmss. Alphabetically sorting normalized UTC also produces a chronological sort.

Whether in the default list format, CSV, or XML, AutorunsC’s output always includes the ASEP location, entry name, description, version, publisher, image path, command line, whether the entry is disabled, and the date and time the target file was last modified, according to the file system. CSV output also includes a row for each ASEP location and when it was last modified. Note that because Windows tracks the last write time for registry keys but not for individual registry values, the “last modified” time for a registry ASEP location will be for the key and might not reflect when a specific entry was changed. When signature verification is enabled, CSV output includes both the signing name as well as the Company Name attribute from the file’s version resource.

When file hashes are requested with the –h option, AutorunsC outputs MD5, SHA-1, SHA-256, and IMPHASH7 hashes of the target file, as well as PESHA-1 and PESHA-256 hashes that are used for Authenticode signatures and that cover only the content areas and not the filler of Portable Executable (PE) files.

CSV and XML output also explicitly name the user profile to which each entry belongs, or “System-wide” for entries that apply to the entire system.

The CSV format includes column headers, and it imports easily into Excel or relational databases. The XML format is easily consumed by Windows PowerShell or any other XML consumer. For example, the following lines of PowerShell run AutorunsC, read the XML, and then display disabled items:

$arcx = [xml]$(autorunsc -a * -x -accepteula)


$arcx.SelectNodes("/autoruns/item") | ?{ $_.enabled -ne "Enabled" }