Analyzing Malware Persistence with Autoruns

Overview

Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.

When to Use

• When investigating security incidents that require analyzing malware persistence with autoruns
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Sysinternals Autoruns (GUI) and Autorunsc (CLI)
• Administrative privileges on target system
• Python 3.9+ for automated analysis
• VirusTotal API key for reputation checks