SANS Digital Forensics and Incident Response Blog

Autoruns and Dead Computer Forensics

Autoruns from Sysinternals is one of my favorite (free) tools. It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware. It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon. It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars. Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables.

Until recently Autoruns had one big limitation: it had to be run on a live system. This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running. However, in a dead computer forensics environment, its usefulness was hampered by this limitation. The painful workaround was to boot the forensic image using something like Live View or Guidance's Physical Disk Emulator, and run Autoruns on the booted system.

Autoruns Analyze Offline System OptionAutoruns Analyze Offline System Option

In version 10 of Autoruns, there is now an option to "Analyze Offline System". This is exactly the feature needed to leverage Autoruns with forensic images. It also provides a better ability to detect rootkits since the target system is offline and hence not protected by any malware hiding mechanisms.

Setting System Root and User ProfileSetting System Root and User Profile

The first step is to mount your drive or image on your local system. This is very easy if you are lucky enough to be working with Microsoft VHD files, or more commonly will be accomplished using a third party tool like IMDisk to mount a forensic image. Once you have a drive letter for your image, you simply point Autoruns to the System Root and User Profile (location of NTUSER.DAT) that you wish to interrogate. All of the existing Autoruns functionality that you know and love will now work on the mounted image.

KeyloggerHoney, did you install a keylogger on our system?

As excited as I am with this new addition, I unfortunately uncovered several significant issues during testing of the Autoruns v10.01 release:

  1. Autorunsc.exe, the command line version, appears to have a bug which precludes its offline capability. The switch should be ??z <systemroot> <userprofile>', but I have had no luck in getting it to work. This is a bit unfortunate, because I prefer the .csv output and scripting capabilities.
  2. Regardless of the mount point your image is using, the tool reports the Image Path using C:\. Not a huge problem, but it tends to exacerbate some of the other issues documented below.
  3. I found several instances when Autoruns would fail to run on a particular mounted image. I eventually was able to get all of my test images to be recognized using the offline feature, but it required multiple tries and reloads of the application. Be careful here, because Autoruns will sometimes silently fail and load the results from your local forensic workstation instead.
  4. In addition to outright failures, I also encountered partial loads, sometimes seeing results intermingled between the offline image and the local system values. A good indicator that something may be amiss is if you see large numbers of "File not found" entries in the Image Path column (see screenshot below). In these instances, I was also able to determine that some of the digital signature verification was taking place on the similarly named dlls and executables on the local system as opposed to the offline system image. Needless to say, this is a big problem.

    Autoruns Offline Retrieval ErrorAutoruns Offline Retrieval Error

While Autoruns has made a big step forward as a dead forensics tool, I encountered too many problems to recommend it as anything other than a "beta" product. That being said, I have the utmost respect for the Sysinternals Team and I am confident that these bugs will be fixed in an upcoming release. Maybe they will even add column sorting for the GUI interface (hint-hint). I'll make a point to update this post when the bug fixes occur.

Chad Tilbury, GCFA, has spent over ten years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches FOR408 Windows Forensics and FOR508 Advanced Computer Forensic Analysis and Incident Response for the SANS Institute. Find him on Twitter @chadtilbury or at http://ForensicMethods.com.

16 Comments

Posted June 29, 2010 at 3:03 PM | Permalink | Reply

Rob Lee

Great post! I was wondering as well about the command line side and thought I was doing something wrong. Have you sent in any emails to MS and Sysinternals to report the problems? Seriously a worthwhile post you just wrote. Thanks for doing so.

Posted July 1, 2010 at 12:08 AM | Permalink | Reply

Bryce Cogswell

Hi Chad, Thanks for the review of the offline feature of Autoruns. This support was kind of hacked into it and it isn't suprising you found some edge cases that weren't picked up in our testing. It would be great if you could get in touch with me to help us isolate the source of the issues you saw.
Bryce Cogswell (Sysinternals)

Posted July 5, 2010 at 4:56 PM | Permalink | Reply

Wayne Dawson

IMDisk sounds great. Probably Paraben's freeware P2 eXplorer diskmounter would work too, if one has it.
IMDisk is open source with code available for review, so I'd probably prefer it, but if someone already has paraben's tool, it sounds like it will work too.

Posted July 14, 2010 at 2:51 AM | Permalink | Reply

Rob Cole

Good post always nice to have another tool in the toolbox

Posted July 27, 2010 at 8:03 PM | Permalink | Reply

Clint Hastings

I'm running into issues with Autoruns 10.02 "Analyze Offline System" function as well. I'm running Vista and in my use case I have a remote drive that I've mounted locally on my machine as a local drive letter via Guidance PDE. When ever I point Autoruns (which I've "Run as Administrator") to the PDE mounted drive for offline analysis, Autoruns just immediately crashes. Also, I've been unable to get the command-line program to work as well. For some reason, even if I open up a command prompt with "Run as Administrator", autorunsc -z complains that it requires Admin privs to run an offline analysis.

Posted July 28, 2010 at 3:59 PM | Permalink | Reply

Clint Hastings

FYI. On Vista, Autoruns 10.02 also immediately crashes when trying to run "Analyze Offline System" against a "locally stored" drive image that has been mounted as a drive letter via Guidance PDE. The app crash generates the following problem details:
Problem signature:
Problem Event Name:BEX
Application Name:autoruns.exe
Application Version:10.2.0.0
Application Timestamp:4c431b1f
Fault Module Name:autoruns.exe
Fault Module Version:10.2.0.0
Fault Module Timestamp:4c431b1f
Exception Offset:0004841f
Exception Code:c0000417
Exception Data:00000000
OS Version:6.0.6002.2.2.0.256.6
Locale ID:1033
Additional Information 1:f2b2
Additional Information 2:afefafa8f472280afb45c06cd754c2f0
Additional Information 3:7881
Additional Information 4:f1e1b1ebadc82b03989e14973ad3089a

Posted July 29, 2010 at 5:27 PM | Permalink | Reply

Chad Tilbury

Clint, thanks for the update on the newest version of Autoruns (10.02). I had a good conversation with Bryce Cogswell from SysInternals and we talked about the forensic use cases of the tool. I didn't see any mention of changes to the offline option in the 10.02 release, so I'm guessing they have not yet had time to fix some of the issues we are seeing.
Apparently the tool was designed with mounted VHD files in mind, so that would be a good first test, followed by some of our forensic mounting tools like IMdisk and PDE.
Please keep us updated if you have any luck!

Posted August 2, 2010 at 8:15 PM | Permalink | Reply

Kai Sumann

Hi Chad, thanks for your article. And a big thank to sysinterals for the great tools.
I found two other bugs in version 10.02 when doing an offline analyze:
1. Scheduled tasks are not listet
2. RegKey HKLM\\System\\Classes and Subkeys are not scanned (in normal mode, they are)
Is there a way to show autoruns of all users instead of one?

Posted October 28, 2010 at 5:23 PM | Permalink | Reply

Rob Lee

Have the bugs been fixed yet in autoruns? Do they need additional testers? I think this capability is an enormous advantage to helping identify malware on a machine and how it is maintaining persistence.
Chad, can you ping your contact on it?

Posted October 28, 2010 at 5:55 PM | Permalink | Reply

Dave Hull

I just tried it with the latest version of Autoruns. I'm logged into a system as the local administrator. I have a Windows XP image mounted using the latest FTK Imager (sweet). I'm running: "autorunsc -a -z g:\\[root]\\Windows useracct" and am getting the following message: "Autoruns requires Administrator privilege to analyze an offline system"
Maybe it's wanting me to an account that matches the administrator account for the system I have mounted. If I get time, I'll try to dig into it further.

Posted April 3, 2011 at 8:05 PM | Permalink | Reply

Chad Tilbury

Just a quick update. The SysInternals team has confirmed that the problems many of us have encountered with this new feature result from the read-only nature of our mounted forensic images. Apparently the current version of the tool requires write access to operate correctly.

Posted May 6, 2011 at 1:00 PM | Permalink | Reply

Cedric Pernet

Thank you very much for this excellent post. It really will help me speed up some malware analysis ;-)

Posted July 22, 2011 at 4:07 PM | Permalink | Reply

Brian Perkins

Gents, can any of you recommend a disk mounting tool that will run on Win7 to mount the image so it has write access to allow autoruns to work correctly.

Posted September 25, 2011 at 11:25 PM | Permalink | Reply

James

Most of these posts are now a bit old but I am curious how many have had luck using the Offline Autoruns option in a WinPE based environment? It would be more ideal to boot via cd/dvd or USB and run this when the system in question fails to boot rather than needing to create an image then proceed to use Autoruns.

Posted October 7, 2011 at 9:41 AM | Permalink | Reply

Kai Sumann

Hi James
If you use BartPE (i know it is old) i can remember that there was an additional Plugin which loads the offline Registry into the PE Environment. Then you can Use Autoruns in normal way. The Plugin is called RunScanner and is provided from a guy named paraglider.
I can remember that Autoruns crashed if started with RunScanner AND when you use Mousewheel. But it works.

Posted March 8, 2013 at 9:53 PM | Permalink | Reply

Mattias Baecklund

Brian Perkins
I use FTK Imager to mount evidence files as writeable. You have to use the install version. I have tried it on E01 files but I think it also works on raw files. It will store the changes in a separate file at least in the case of a E01 so that the evidence won't be change.