{
	"id": "db3d5c2e-7411-48f3-b536-f387f7895bae",
	"created_at": "2026-04-06T02:11:03.892745Z",
	"updated_at": "2026-04-10T03:21:46.930318Z",
	"deleted_at": null,
	"sha1_hash": "f2e8705a7de81e44d548e8bc45862a1e952965a4",
	"title": "Autoruns - Sysinternals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53044,
	"plain_text": "Autoruns - Sysinternals\r\nBy markruss\r\nArchived: 2026-04-06 01:56:49 UTC\r\nBy Mark Russinovich\r\nPublished: February 6, 2024\r\nCreated with ZoomIt\r\nThis utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows\r\nyou what programs are configured to run during system bootup or login, and when you start various built-in\r\nWindows applications like Internet Explorer, Explorer and media players. These programs and drivers include\r\nones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions,\r\ntoolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way\r\nbeyond other autostart utilities.\r\nAutoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that\r\nhave been added to your system and it has support for looking at the auto-starting images configured for other\r\naccounts configured on a system. Also included in the download package is a command-line equivalent that can\r\noutput in CSV format, Autorunsc.\r\nYou'll probably be surprised at how many executables are launched automatically!\r\nSimply run Autoruns and it shows you the currently configured auto-start applications as well as the full list of\r\nRegistry and file system locations available for auto-start configuration. Autostart locations displayed by Autoruns\r\ninclude logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs),\r\nAppinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock\r\nLayered Service Providers, media codecs, and more. Switch tabs to view autostarts from different categories.\r\nTo view the properties of an executable configured to run automatically, select it and use the Properties menu\r\nitem or toolbar button. If Process Explorer is running and there is an active process executing the selected\r\nexecutable then the Process Explorer menu item in the Entry menu will open the process properties dialog box\r\nfor the process executing the selected image.\r\nNavigate to the Registry or file system location displayed or the configuration of an auto-start item by selecting\r\nthe item and using the Jump to Entry menu item or toolbar button, and navigate to the location of an autostart\r\nimage.\r\nTo disable an auto-start entry uncheck its check box. To delete an auto-start configuration entry use\r\nthe Delete menu item or toolbar button.\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb963902\r\nPage 1 of 3\n\nThe Options menu includes several display filtering options, such as only showing non-Windows entries, as well\r\nas access to a scan options dialog from where you can enable signature verification and Virus Total hash and file\r\nsubmission.\r\nSelect entries in the User menu to view auto-starting images for different user accounts.\r\nMore information on display options and additional information is available in the on-line help.\r\nAutorunsc is the command-line version of Autoruns. Its usage syntax is:\r\nUsage: autorunsc [-a \u003c*|bdeghiklmoprsw\u003e] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] | [user]]]\r\nParameter Description\r\n-a Autostart entry selection:\r\n* All.\r\nb Boot execute.\r\nd Appinit DLLs.\r\ne Explorer addons.\r\ng Sidebar gadgets (Vista and higher)\r\nh Image hijacks.\r\ni Internet Explorer addons.\r\nk Known DLLs.\r\nl Logon startups (this is the default).\r\nm WMI entries.\r\nn Winsock protocol and network providers.\r\no Codecs.\r\np Printer monitor DLLs.\r\nr LSA security providers.\r\ns Autostart services and non-disabled drivers.\r\nt Scheduled tasks.\r\nw Winlogon entries.\r\n-c Print output as CSV.\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb963902\r\nPage 2 of 3\n\nParameter Description\r\n-ct Print output as tab-delimited values.\r\n-h Show file hashes.\r\n-m Hide Microsoft entries (signed entries if used with -v).\r\n-s Verify digital signatures.\r\n-t Show timestamps in normalized UTC (YYYYMMDD-hhmmss).\r\n-u\r\nIf VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero\r\ndetection, otherwise show only unsigned files.\r\n-x Print output as XML.\r\n-v[rs]\r\nQuery VirusTotal for malware based on file hash. Add 'r' to open reports for files with non-zero\r\ndetection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's'\r\noption is specified. Note scan results may not be available for five or more minutes.\r\n-vt\r\nBefore using VirusTotal features, you must accept the VirusTotal terms of service. If you\r\nhaven't accepted the terms and you omit this option, you will be interactively prompted.\r\n-z Specifies the offline Windows system to scan.\r\nuser\r\nSpecifies the name of the user account for which autorun items will be shown. Specify '*' to\r\nscan all user profiles.\r\nWindows Internals Book The official updates and errata page for the definitive book on Windows\r\ninternals, by Mark Russinovich and David Solomon.\r\nWindows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark\r\nRussinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for\r\ntroubleshooting, and example real-world cases of their use.\r\nDownload Download Autoruns and Autorunsc (2.8 MB)\r\nRun now from Sysinternals Live.\r\nSource: https://technet.microsoft.com/en-us/sysinternals/bb963902\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb963902\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/en-us/sysinternals/bb963902"
	],
	"report_names": [
		"bb963902"
	],
	"threat_actors": [],
	"ts_created_at": 1775441463,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2e8705a7de81e44d548e8bc45862a1e952965a4.pdf",
		"text": "https://archive.orkl.eu/f2e8705a7de81e44d548e8bc45862a1e952965a4.txt",
		"img": "https://archive.orkl.eu/f2e8705a7de81e44d548e8bc45862a1e952965a4.jpg"
	}
}