AutoRuns PowerShell Module
AutoRuns module was designed to help do live incident response and enumerate autoruns artifacts that may be used by legitimate programs as well as malware to achieve persistence.
Table of Contents
Usage
Install the module
The module is located on the PowerShellGallery
# Check the module on powershellgallery.com using PowerShellGet cmdlets
Find-Module -Name Autoruns -Repository PSGallery
Version Name Repository Description
------- ---- ---------- -----------
14.0.2 AutoRuns PSGallery AutoRuns is a module ...
# Save the module locally in Downloads folder
Save-Module -Name AutoRuns -Repository PSGallery -Path ~/Downloads
Stop and please review the content of the module, I mean the code to make sure it's trustworthy :-)
You can also verify that the SHA256 hashes of downloaded files match those stored in the catalog file
$HT = @{
CatalogFilePath = "~/Downloads/AutoRuns/14.0.2/AutoRuns.cat"
Path = "~/Downloads/AutoRuns/14.0.2"
Detailed = $true
FilesToSkip = 'PSGetModuleInfo.xml'
}
Test-FileCatalog @HT
# Import the module
Import-Module ~/Downloads/AutoRuns/14.0.2/AutoRuns.psd1 -Force -Verbose
Check the command available
Get-Command -Module AutoRuns
CommandType Name Version Source
----------- ---- ------- ------
Function Compare-AutoRunsBaseLine 14.0.2 AutoRuns
Function Get-PSAutorun 14.0.2 AutoRuns
Function New-AutoRunsBaseLine 14.0.2 AutoRuns
Find the syntax
Get-PSAutorun
# View the syntax of Get-PSAutorun
Get-Command Get-PSAutorun -Syntax
Get-PSAutorun [-All] [-BootExecute] [-AppinitDLLs] [-ExplorerAddons] [-ImageHijacks] [-InternetExplorerAddons] [-KnownDLLs] [-Logon] [-Winsock] [-Codecs] [-OfficeAddins] [-PrintMonitorDLLs] [-LSAsecurityProviders] [-ServicesAndDrivers] [-ScheduledTasks] [-Winlogon] [-WMI] [-PSProfiles] [-ShowFileHash] [-VerifyDigitalSignature] [-User <string>] [<CommonParameters>]
Get-PSAutorun [-All] [-BootExecute] [-AppinitDLLs] [-ExplorerAddons] [-ImageHijacks] [-InternetExplorerAddons] [-KnownDLLs] [-Logon] [-Winsock] [-Codecs] [-OfficeAddins] [-PrintMonitorDLLs] [-LSAsecurityProviders] [-ServicesAndDrivers] [-ScheduledTasks] [-Winlogon] [-WMI] [-PSProfiles] [-Raw] [-User <string>] [<CommonParameters>]
New-AutoRunsBaseLine
# View the syntax of New-AutoRunsBaseLine
Get-Command New-AutoRunsBaseLine -Syntax
New-AutoRunsBaseLine [-InputObject] <Object[]> [[-FilePath] <string>] [-WhatIf] [-Confirm] [<CommonParameters>]
Compare-AutoRunsBaseLine
# View the syntax of Compare-AutoRunsBaseLine
Get-Command Compare-AutoRunsBaseLine -Syntax
Compare-AutoRunsBaseLine [[-ReferenceBaseLineFile] <string>] [[-DifferenceBaseLineFile] <string>] [<CommonParameters>]
View examples provided in the help
Get-PSAutorun
# Get examples from the help
Get-Help Get-PSAutorun -Examples
NAME
Get-PSAutorun
SYNOPSIS
Get Autorun entries.
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Get-PSAutorun -BootExecute -AppinitDLLs
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Get-PSAutorun -KnownDLLs -LSAsecurityProviders -ShowFileHash
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Get-PSAutorun -All -ShowFileHash -VerifyDigitalSignature
-------------------------- EXAMPLE 4 --------------------------
PS C:\>Get-PSAutorun -All -User * -ShowFileHash -VerifyDigitalSignature
New-AutoRunsBaseLine
# Piping the filtered output of the Get-PSAutorun to the New-AutoRunsBaseLine function will create a .ps1 file in ~/Documents
Get-PSAutorun -VerifyDigitalSignature |
Where { -not($_.isOSbinary)} |
New-AutoRunsBaseLine -Verbose
# On Windows PowerShell, you can use the Out-GridView cmdlet to run and view the content of the file created
~\Documents\PSAutoRunsBaseLine-20201102214715.ps1 |
Out-GridView -PassThru
Compare-AutoRunsBaseLine
# You need two files in ~/Documents generated by the New-AutoRunsBaseLine function
Compare-AutoRunsBaseLine -Verbose
Issues
-
What are registrations in the WMI\Default namespace introduced in Autoruns v13.7? see c7eab48c77f578e0dcff61d2b46a479b28225a56
-
If you run PowerShell 5.1 and Applocker in allow mode, you need to add a local appplocker rule that allows the module to be loaded. The module files aren't signed anymore with a DigiCert certificate.
If your corporate admin has turned off local group policy objects processing on a domain joined device, you'll need to add the trusted publisher rule in a Domain group policy.
gp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -Name DisableLGPOProcessing -EA 0
Todo
Coding best practices
- Use PSScriptAnalyzer module to validate the code follows best practices
- Write Pester tests for this module
OS and Software compatibility
- Test the module in PowerShell Core 7.x (latest)
- Test the module on Nano and get rid of Add-Member cmdlet
- Test the module on various versions of Windows 10
- 20H2
- 21H1
- 21H2
- 22H2
- Test the module on various versions of Windows 11
- 21H2
- 22H2
- Test the module on Windows RT
- Review Office Add-ins code with Office x86 and x64 versions
General improvements
- Write a better implementation of the internal Get-RegValue function
- Review and improve regex used by the internal Get-PSPrettyAutorun function (ex: external paths)
New features
- Replace HKCU and add an option to specify what user hive is being investigated
- Add timestamps on registry keys
- Analyze an offline image of Windows
- Create a baseline of artifacts
- Compare two baselines of artifacts
Help
- More examples
- Use external help?
- Internationalization?
- Copy the changelog at the end of the module in README.md
- Document issues and write a pester tests to validate the module behavior if fixed
Credits
Thanks go to:
- @LeeHolmes:
- Improving common parameters 7fe8e7ea983325b5543da1300cb8a4636c7062ef
- Filtering OS binaries 8efb0fad4585ecd4517b55ff5b5cec91f7dd364a
Get-PSAutorun -VerifyDigitalSignature | ? { -not $_.IsOSBinary }
Other links
- https://live.sysinternals.com
- https://docs.microsoft.com/en-us/sysinternals
- https://docs.microsoft.com/en-us/archive/blogs/sysinternals
Autoruns.exe from Mark Russinovich
OriginalThis Autoruns update fixes a bug preventing the enabling/disabling of startup folder items.
This Autoruns update fixes a series of application crashes, now correctly parses paths with spaces passed as command line arguments and improves .arn import functionality.
This Autoruns update can open .arn files from the command line, fixes RunDll32 parameter handling in some cases, supports toggling Active Setup entries, fixes a crash when no ProcExp can be found in the path and improves 32/64 bit redirection.
This Autoruns release fixes a crash happening for scheduled tasks containing spaces.
This update for Autoruns addresses a bug preventing opening and comparing .arn files.
This update for Autoruns adds a series of display/theme fixes, restores autorunsc, fixes a regression for rundll32 entries, limits per-user scans to the user locations, fixes Microsoft entry hiding and adds a high DPI application icon.
This update for Autoruns restores entries previously shown in v13.100, improves Wow64 redirection handling and entry name resolution.
Autoruns, a utility for monitoring startup items, receives a series of UI improvements related to the dark theme and general Windows 10 tweaks, VirusTotal and signed files regressions fixes.
This update for Autoruns fixes a regression with VirusTotal submissions introduced in v14.0.
Autoruns, a utility for monitoring startup items, is the latest Sysinternals tool to receive a UI overhaul including a dark theme.
This update to Autoruns fixes a crash reported in v13.99.
This update to Autoruns fixes a bug that resulted in some empty locations being hidden when the Include Empty Locations option is selected.
This release of Autoruns resolves an issue where Microsoft Defender binaries were being flagged as unsigned.
This Autoruns update adds support for user Shell folders redirections.
This Autoruns update fixes a bug that prevented the correct display of the target of image hosts such as svchost.exe, rundll32.exe, and cmd.exe.
This Autoruns update fixes a bug that prevented UserInitMprLogonScript from being scanned and by-default enables HCKU scanning for the console version.
Autoruns, a comprehensive Windows autostart entry point (ASEP) manager, now includes Runonce*\Depend keys and GPO logon and logoff locations, as well as fixes a bug in WMI path parsing.
This Autoruns release shows Onenote addins and fixes several bugs.
This update to Autoruns fixes a Wow64 bug in Autorunsc that could cause 32-bit paths to result in 'file not found' errors, and expands the set of images not considered part of Windows for the Windows filter in order to reveal malicious files masquerading as Windows images
This release of Autoruns, a utility for viewing and managing autostart execution points (ASEPs), adds additional autostart entry points, has asynchronous file saving, fixes a bug parsing 32-bit paths on 64-bit Windows, shows the display name for drivers and services, and fixes a bug in offline Virus Total scanning.
This update to Autoruns, a comprehensive autostart execution point manager, adds Microsoft HTML Application Host (mshta.exe) as hosting image so it displays the hosted image details, and now doesn’t apply filters to hosting images.
Autoruns, an autostart entry point management utility, now reports print providers, registrations in the WMI\Default namespace, fixes a KnownDLLs enumeration bug, and has improved toolbar usability on high-DPI displays.
This release of Autoruns, a comprehensive autostart entry manager, fixes a WMI command-line parsing bug, emits a UNICODE BOM in the file generated when saving results to a text file, and adds back the ability to selectively verify the signing status of individual entries.
This update to Autoruns, the most comprehensive autostart viewer and manager available for Windows, now shows 32-bit Office addins and font drivers, and enables resubmission of known images to Virus Total for a new scan.
Autoruns, the most comprehensive utility available for showing what executables, DLLs, and drivers are configured to automatically start and load, now reports Office addins, adds several additional autostart locations, and no longer hides hosting executables like cmd.exe, powershell.exe and others when Windows and Microsoft filters are in effect.
Autoruns, a utility that shows what processes, DLLs, and drivers are configured to automatically load, adds reporting of GP extension DLLs and now shows the target of hosting processes like cmd.exe and rundll32.exe.
In addition to bug fixes to CSV and XML output, Autorunsc introduces import-hash reporting, and Autoruns now excludes command-line and other host processes from the Microsoft and Windows filters.
This release fixes a bug in v13 that caused autostart entry lines not to show when you enter a filter string into the toolbar's filter control
This major update to Autoruns, an autostart execution point (ASEP) manager, now has integration with Virustotal.com to show the status of entries with respect to scans by over four dozen antimalware engines. It also includes a revamped scanning architecture that supports dynamic filters, including a free-form text filter, a greatly improved compare feature that highlights not just new items but deleted ones as well, and file saving and loading that preserves all the information of a scan
This update to Autoruns adds the registered HTML file extension, fixes a bug that could cause disabling of specific entry types to fail with a “path not found” error, and addresses another that could prevent the Jump-to-image function from opening the selected image on 64-bit Windows.
This fixes a bug that could cause Autoruns to crash on startup, updates the image path parsing for Installed Components to remove false positive file-not-found entries, and correctly reports image entry timestamps in local time instead of UTC.
This update to Autoruns, a utility that comes in Windows application and command-line forms, has numerous bug fixes, adds a profile attribute/column to CSV and XML output, and interprets the CodeBase value for COM object registrations.
This release of Autoruns, a Windows application and command-line utility for viewing autostart entries, now reports the presence of batch file and executable image entries in the WMI database, a vector used by some types of malware.
This release of Autoruns, a powerful utility for scanning and disabling autostart code, adds a new option to have it show only per-user locations, something that is useful when analyzing the autostarts of different accounts than the one that Autoruns is running under.
This release fixes a bug in version 11.61’s jump-to-image functionality.