← SYSREF
HYLAS // AUTORUNSREF
AUTORUNS — PERSISTENCE & AUTOSTART REFERENCE
PERSISTENCE HUNTING
// OVERVIEW
Autoruns shows every executable configured to launch automatically on Windows — at boot, login, service start, or browser load. It covers over 100 distinct autostart locations, far more than any other tool. Created by Mark Russinovich and Bryce Cogswell, now part of the official Microsoft Sysinternals suite.

Why it matters: Malware, RATs, and rootkits rely on persistence mechanisms to survive reboots. Autoruns exposes every one of those mechanisms in a single view. Blue teamers use it for baseline comparison; red teamers understand it to choose less-visible persistence methods.
// EXECUTABLES
BinaryDescriptionTypical Use
Autoruns.exe / Autoruns64.exeGUI interface — full visual view of all autostart locations, colouring, VT integrationInteractive investigation
autorunsc.exe / autorunsc64.exeCommand-line version — scriptable, CSV/XML output, no GUI requiredAutomated baselining, scripting, remote runs
Autoruns64a.exeARM64 build for Surface and ARM Windows devicesARM architecture systems
// COMMAND SYNTAX (autorunsc)CLI
autorunsc64.exe -a * -c -h -s -u -vt ; Full scan, CSV, hash, signed check, VT lookup ; Common flags: -a * ; Scan all autostart categories -a b ; Boot execute only -a d ; Appinit DLLs -a e ; Explorer addons -a h ; Image hijacks -a l ; Logon entries -a n ; Winsock protocol and network providers -a o ; Office addins -a r ; LSA providers -a s ; Autostart services and non-disabled drivers -a t ; Scheduled tasks -a w ; Winlogon entries -c ; Output as CSV -h ; Show file hashes (MD5, SHA1, SHA256) -s ; Verify digital signatures -u ; Show only unsigned entries -vt ; Submit hashes to VirusTotal -x ; Output as XML -z ; Don't verify code signatures (faster) -nobanner ; Suppress banner (for scripting) -user ; Scan specific user profile ; Baseline comparison workflow: autorunsc64.exe -a * -c -h -s -nobanner > baseline.csv ; Run same command after incident, then diff the CSVs
// KEY PERSISTENCE LOCATIONSATTACKER FAVOURITES
Registry Run Keys — most common malware persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Scheduled Tasks — stealthy, granular triggers:
C:\Windows\System32\Tasks\ C:\Windows\SysWOW64\Tasks\ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
Services — survives login, runs as SYSTEM:
HKLM\SYSTEM\CurrentControlSet\Services\
Startup Folders:
C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Winlogon / Image File Execution Options (IFEO) — debugger hijack:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[exe] Debugger = C:\evil\backdoor.exe ; runs instead of or alongside the target
AppInit_DLLs — loads into every process using User32.dll:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
COM Object Hijacking — per-user COM reg overrides system reg:
HKCU\Software\Classes\CLSID\{GUID}\InprocServer32
// RED TEAM USEATTACKER
Run key persistence — most common, easily detected. Avoid HKLM (requires admin) when possible; HKCU is stealthier.
Scheduled task persistence — randomise task name, set trigger to BOOT or SYSTEM session, copy legitimate task XML structure.
IFEO Debugger hijack — attach payload as debugger to legitimate binary (e.g. sethc.exe for sticky keys backdoor).
COM hijacking — no admin required, evades many AV products, persists across updates.
WMI subscriptions — event-based trigger, invisible in standard Autoruns unless the WMI category is enabled. Use -a w.
Fileless persistence — PowerShell in registry (base64 encoded), no file on disk, bypasses hash-based detection.
// BLUE TEAM INDICATORSDEFENDER
Unsigned entries — run autorunsc -u to list only unsigned autostart entries. Legitimate software is almost always signed.
Entries in TEMP / AppData — legitimate software rarely persists from user temp directories or AppData\Local\Temp.
Random-looking names — GUIDs, hex strings, or garbled names in run keys or task names are suspicious.
VirusTotal hits — Autoruns GUI can submit hashes. Any detection ratio above 0/72 warrants immediate investigation.
Baseline delta — diff today's autorunsc CSV against a clean baseline. Any new entries since the baseline are candidates.
Pink highlighting — Autoruns GUI highlights pink any entry whose image file cannot be found. Dead persistence pointing at deleted malware.
// GUI COLOUR GUIDE
ColourMeaningAction
Pink / Red backgroundFile not found — entry references a missing executableSafe to delete the entry; file is already gone
Yellow backgroundFile exists but could not be verified (no publisher)Investigate — unsigned or verification failed
Green / White textVerified Microsoft or trusted publisher signatureGenerally safe; still check path is expected
Grey textDisabled entry (unchecked in Autoruns)Not currently active but still present — note it
Blue / Purple textEntry is a Windows componentUsually safe; verify if path is unusual
// SIEM / DETECTION RULESDEFENDERS
Key Windows event IDs to monitor for autostart-related persistence:
Event IDSourceMeaning
4698SecurityScheduled task created
4699SecurityScheduled task deleted
4702SecurityScheduled task updated
7045SystemNew service installed
13 (Sysmon)SysmonRegistry value set (monitor Run key paths)
11 (Sysmon)SysmonFile created in Startup folders

Sysmon registry filter (sigma-style target):
TargetObject contains: \CurrentVersion\Run \CurrentVersion\RunOnce \Winlogon\Shell \Winlogon\Userinit \Image File Execution Options \AppInit_DLLs