And here we are on the 3rd post: Introduction to Autoruns and ProcDump
The Sysinternals suite of tools is a collection of over 70 utilities that can be used to troubleshoot and diagnose a wide range of issues on a Windows system.
In this blog post we’ll focus on ProcDump and Autoruns.
Let’s start with a short instruction about these tools.
This tool allows you to view all the programs that are configured to run automatically when the system starts up. This can be helpful when trying to identify malware or other unwanted software that is running on the system.
As we’ve done for previous tools, let’s start with the main interface:
The software starts on the Everything tab, which includes all the records it has identified in the locations it scans (The full list of scanned locations can be found in the book recommended at the end), and as you can see there is a lot in even a recently created VM with basic applications.
The entries will be grouped by Location in which they’re defined and then additional information is organized by column:
- Autoruns Entry shows either the name of the Application being run (from the metadata) or the executable itself
- Description is taken from the Description version resource of the file.
- Publisher same as above unless the file has a valid code-signing certificate, in which case the name shown is taken directly from the Certificate’s Subject Name.
- The Image Path is the full path to the file to be executed
- The Timestamp column displays the creation date and time of Portable Executable (PE) files in the local time zone. For non-PE files like script files, it shows the last-write time of the file. For shaded ASEP entries, it reflects the last modification time of the registry key or directory.
Note: Autoruns highlights in pink images if they have no Description/Publisher or certificate is not present or unverifiable.
Additional information can be gleamed from the file by clicking on it:
If you want to see additional file information you can doubleclick an entry:
And if you want to go to the location where the entry is configured you can right-click -> Jump to Image, same as in Process Monitor:
Additional options will be discussed a bit later in the article, for now let’s continue on the tabs:
The standard autostart entries processed during Windows start and user logon are listed in this tab of Autoruns, including popular ASEPs like registry Run and RunOnce keys, Start menu Startup directories, computer scripts, and user session processes like Userinit and desktop shell. These entries cover both per-user and system-wide locations, and are controllable through Group Policy. Additionally, the tab lists the Active Setup/Installed Components keys, which are used in the wild despite having never been documented/supported.
The Explorer tab in Autoruns lists common autostart entries that hook into Windows Explorer, running in-process with Explorer.exe. There are both system-wide and per-user entries, including Shell Extensions (context menus, property pages, folder, window displays, ecc..), Namespace Extensions (Desktop, Control Panel, Recycle Bin and third-party), Pluggable Namespace Handlers which handle protocols (http/s, ftp, mailto, ecc…) or Microsoft/third party extensions (about, mk, res) and Pluggable MIME filters.
Note: DLLs can be loaded only in processes that equal their architecture, so a 32-bit DLL can only be loaded in a 32-bit process. Since explorer.exe is running as a 64-bit process on 64-bit Windows, this means that only 64-bit dll extensions can be loaded into it.