Autoruns¶
From https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns:
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
Integration¶
Pertinax¶
Josh Brower developed a great project called Pertinax to normalize autoruns data and integrate it into Security Onion:
Execute autoruns and ar-normalize.ps1 as shown here:
AutorunsToWinEventLog¶
Another method for integrating Autoruns into your logging infrastructure is AutorunsToWinEventLog:
Downloads¶
Download Autoruns here:
Download ar-normalize.ps1 here:
More Information¶
Note
For more information about Autoruns, please see: