Figure 1
At first glance, you can see the interface has 18 different tabs above. The first tab labeled 'Everything' will show you all the types of programs and services configured to run at startup. Surely you will be surprised with the amount you see here. Unlike MSConfig, Autoruns does not require administrator rights.
Other tabs allow you to see information categorized by category, including:
Most of the above items are quite familiar to us, but you will probably feel strange for AppInit. The value of AppInit_DLLs is used when certain programs load the DLL window manager (User32.dll). Since all programs that use the graphical interface (not the command line) in Windows load the DLL listed in this value, AppInit_DLLs are often the target of malware attacks.
Another tab you might encounter is Image Hijacks. This tab involves using Image File Execution options in the Windows registry to redirect the loading process by mapping the executable name and then loading a completely different process.
Note that all the entries you see in Autoruns are not necessary programs, but they are programs that are configured to run automatically. To determine if an item is running, you can right-click it and select Process Explorer. Assuming you have Process Explorer installed, open this program so you can see the process properties dialog here. Note that if Process Explorer is running with administrator rights, while you are running Autoruns with standard user rights, this action will fail because Autoruns cannot communicate with Process Explorer.
One of the favorite features here is the 'Jump to' option. If the right click on an entry, you can select 'Jump to' as shown in Figure 2 and the registry editor will display the location of the item.
Figure 2
There will definitely be some entries that you do not recognize the name, description, and manufacturer information. You can use the 'Search online' option to perform a search online. This is a way to help you detect whether startup items are related to malicious software.
Another extremely useful feature is found in the File menu. Here you will see an option called 'Compare .'. Using this option requires some caution and you need to use the File | option Save to save an Autoruns file (.ARN extension) before starting to solve the problem. If you do that, you can use the Compare option to mark new entries on the Autoruns list to narrow down the suspicions about malware.
For ease of management, you can select Hide entries that are identified as Microsoft software (the section is in the Options menu). This is not a good idea, though, because malware writers are very easy to label fake software for their software as created by Microsoft. To do so with a specific entry, select Verify from the Entry menu (or press CTRL + V). In addition, you also have the option of Code Signatures Verify in the Options menu.
Another advantage of Autoruns when compared with MSConfig is that it will show you the autostart entries by user. More and more malware is currently exploiting standard user accounts by writing to HKEY_CURRENT_USER. With Autoruns, you can choose the username of the account you want to view from the User menu. This will allow you to find malware in the registry in other user accounts.
Autoruns can even analyze offline systems, support operations for detecting rootkits. You will see this option in the File menu. What you need to do is enter the system root directory which is offline as well as the user profile you want to check. Note that Autorunsc (the command line version of Autoruns) can be used with Sysinternals, psexec tools, to view autostart entries on the remote computer.
Another problem is that you need to know some options to remove items found in Autoruns. There are two ways to do that within Autoruns:
Note that in some cases, you may have to restart the process, log out and log back in, or even restart the computer for the changes to take effect.
In this second article we will cover only Autoruns, in the next part of this article series, I will show you how to use Process Monitor to track malware actions and how to remove malware from the system. when it is detected as well as what to do if the Sysinternals tool does not help.