Wednesday, May 1, 2019

AutoStart and the AutoRun tool

There are locations that can shed light on which software, tasks, or configurations are set to run every time a user logs in or when the Operating System boots up.

These locations are good for use to know for a few different reasons.
One being for personal settings.  Maybe we want a tool or task to run every time we start up a computer.  Perhaps for updates or logging information.

Secondly, the autostart locations can be used by potentially malicious programs to remain installed and/or run at start up.

Below are a list of locations that can be configured for autostart:

Autostart folder of the current user
  • shell:startup
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Autostart folder of all users
  • shell:common startup
  • %programdata%\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

REGISTRY
Run keys (individual user)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Run keys (machine, all users)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
  • HKLM\System\CurrentControlSet\Services
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • Other autostart keys
  • Active Setup has been designed to execute commands once per user during logon.
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
  • Undocumented autostart feature.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  • Shell related autostart entries, e.g. items displayed when you right-click on files or folders.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
  • HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
  • HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
  • HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
  • HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
  • HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
  • HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
  • HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
  • HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
  • HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
  • HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
  • HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  • HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  • The following keys specify drivers that get loaded during startup.
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  • HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
  • Misc Startup keys
  • HKLM\Software\Classes\Filter
  • HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  • HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
  • HKLM\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  • HKLM\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
  • KLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  • HKCU\Control Panel\Desktop\Scrnsave.exe
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
  • HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

TASKS
  • C:\Windows\Tasks
  • C:\Windows\System32\Tasks
Files
The following files can be used to autostart programs on Windows start:
  • c:\autoexec.bat
  • c:\config.sys
  • c:\windows\winstart.bat
  • c:\windows\wininit.ini
  • c:\windows\dosstart.bat
  • c:\windows\system.ini
  • c:\windows\win.ini
  • c:\windows\system\autoexec.nt
  • c:\windows\system\config.nt



_________________________________________________________________________________

Autoruns for Windows


The Autoruns tool is part of the Sysinternals Suite by Mark Russinovich, CTO of Microsoft and software engineer.  This tool is great for a one stop check of all the above mentioned autostart locations.

It will show what programs are configured to run during system bootup or login.  The tool also looks at software as being signed or unsigned third party.

Autoruns GUI


There is "badthing.exe" in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" and it is unsigned with no publisher.




In conclusion, knowing the autostart locations or where to reference them is valuable to answer what starts up at boot and login time.  For assistance there is the autoruns tool that I recommend be brought along with the system internals suite.



--Bryan









Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)