Windows Autorun Part-1

Published: 2013-12-27
Last Updated: 2013-12-27 14:26:05 UTC
by Basil Alawi S.Taher (Version: 1)
3 comment(s)

When someone suspecting that a malware activity that may exist in a system or a compromised systemone of the most obvious places to check is the startup locations .In this diary I am going to discuss some of the startup locations in Windows Systems:
1-Startup Folders:
On Windows XP systems:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\%UserName%\Start Menu\Programs\Startup
On Windows Vista/7/8
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\%UserName%\Appdata\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Windows Startup
 

When an executable file (application or batch file) is located in the All Users folder will run for any user when he/she logon, while when it's located in particular user’s folder it will run only for that  user when he/she logon.
Please note that the above locations are the default and it can be changed, I will suggest first to check the following registry keys:
On Windows XP /Windows Vista/7/8 (See figure 2):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


 

Keywords:
3 comment(s)

Comments

Tedious and incomplete. Why not just run the Autoruns utility? http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
It is just Part-1. I'm betting he'll get to autoruns.
I found a good way is to run autorunsC.exe with -c -a and filter out the ASEPs.

Speaking of which, a while ago I read some stats on how common various persistence mechanisms were used by malware. Does anyone know where that was or know of similar stats?

Diary Archives