• 2/17/2017


AutorunsC is a console-mode version of Autoruns that outputs results to its standard output. It is designed primarily for use in scripts. Its purpose is data collection only: it cannot disable or delete any autostart entries.

The command-line options are listed in Table 4-1.6 They let you capture all autostarts or just specific categories, verify digital signatures, query VirusTotal, omit Microsoft entries, specify a user account for which to capture autostarts or capture all user accounts’ autostarts, and output results as comma-separated or tab-separated values (CSV) or as XML. If you don’t specify any options, AutorunsC outputs just the Logon entries without signature verification and in an indented list format designed for human reading. To capture other ASEPs, add the –a option followed by one or more letters indicating the ASEP categories of interest, or * to capture all ASEP categories.

TABLE 4-1 AutorunsC command-line options

Autostart types: [-a *|bcdeghiklmoprsw]


Shows all autostart entries


Shows boot execute entries


Shows codecs


Shows AppInit DLLs


Shows Explorer add-ons


Shows Sidebar gadgets (Windows Vista and Windows 7)


Shows image hijacks


Shows Internet Explorer add-ons


Shows known DLLs


Shows logon autostart entries (this is the default)


Shows WMI entries

Autostart types: [-a *|bcdeghiklmoprsw]


Shows Winsock protocol and network providers


Shows Office addins


Shows printer monitor DLLs


Shows LSA security providers


Shows services and non-disabled drivers


Shows scheduled tasks


Shows Winlogon entries

What to scan


Specifies the name of the user account for which autostart entries will be shown. Use DOMAIN\User format for domain accounts. Specify * to scan all user profiles. This option requires administrative rights.

–z systemroot userprofile

Scans an offline Windows system, specifying the file-system paths to the target system’s Windows directory and to the target user-profile directory.

File information


Shows file hashes


Verifies digital signatures


If VirusTotal check is enabled, –u shows only files that are unknown by VirusTotal or that have non-zero detection.

If VirusTotal check is not enabled, –u shows only unsigned files.


Queries VirusTotal for malware based on file hashes.

With “r” added, it opens the web browser to VirusTotal report for files with non-zero detection.

With “s” added, it uploads files that report as “unknown”—that is, not previously scanned by VirusTotal.

(Also, note the meaning of –u when used with the –v[rs] option.)


Accepts the VirusTotal terms of service (TOS) without opening the TOS webpage.

Output format


Prints output as comma-separated values (CSV)


Prints output as tab-delimited values


Prints output as XML


Hides Microsoft entries. If used with –s, hides signed Microsoft entries.


Shows timestamps in normalized UTC: YYYYMMDD-hhmmss. Alphabetically sorting normalized UTC also produces a chronological sort.

Whether in the default list format, CSV, or XML, AutorunsC’s output always includes the ASEP location, entry name, description, version, publisher, image path, command line, whether the entry is disabled, and the date and time the target file was last modified, according to the file system. CSV output also includes a row for each ASEP location and when it was last modified. Note that because Windows tracks the last write time for registry keys but not for individual registry values, the “last modified” time for a registry ASEP location will be for the key and might not reflect when a specific entry was changed. When signature verification is enabled, CSV output includes both the signing name as well as the Company Name attribute from the file’s version resource.

When file hashes are requested with the –h option, AutorunsC outputs MD5, SHA-1, SHA-256, and IMPHASH7 hashes of the target file, as well as PESHA-1 and PESHA-256 hashes that are used for Authenticode signatures and that cover only the content areas and not the filler of Portable Executable (PE) files.

CSV and XML output also explicitly name the user profile to which each entry belongs, or “System-wide” for entries that apply to the entire system.

The CSV format includes column headers, and it imports easily into Excel or relational databases. The XML format is easily consumed by Windows PowerShell or any other XML consumer. For example, the following lines of PowerShell run AutorunsC, read the XML, and then display disabled items:

$arcx = [xml]$(autorunsc -a * -x -accepteula)

$arcx.SelectNodes("/autoruns/item") | ?{ $_.enabled -ne "Enabled" }