AutoRuns PowerShell Module

AutoRuns module was designed to help do live incident response and enumerate autoruns artifacts that may be used by legitimate programs as well as malware to achieve persistence.

Table of Contents

• Usage
  • Install the module
  • Functions
  • Help
• Issues
• Todo
• Credits
• Original Autoruns doc
• Original Autoruns.exe release history

<a name="Usage"/>

Usage

<a name="Install"/>

Install the module

The module is located on the PowerShellGallery

# Check the module on powershellgallery.com using PowerShellGet cmdlets
Find-Module -Name Autoruns -Repository PSGallery

Version    Name                                Repository           Description
-------    ----                                ----------           -----------                                   
14.0.2     AutoRuns                            PSGallery            AutoRuns is a module ...

# Save the module locally in Downloads folder
Save-Module -Name AutoRuns -Repository PSGallery -Path ~/Downloads

Stop and please review the content of the module, I mean the code to make sure it's trustworthy :-)

You can also verify that the SHA256 hashes of downloaded files match those stored in the catalog file

$HT = @{
    CatalogFilePath = "~/Downloads/AutoRuns/14.0.2/AutoRuns.cat"
    Path = "~/Downloads/AutoRuns/14.0.2"
    Detailed = $true
    FilesToSkip = 'PSGetModuleInfo.xml'
}
Test-FileCatalog @HT

# Import the module
Import-Module ~/Downloads/AutoRuns/14.0.2/AutoRuns.psd1 -Force -Verbose

<a name="Functions"/>

Check the command available

Get-Command -Module AutoRuns

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Compare-AutoRunsBaseLine                           14.0.2     AutoRuns
Function        Get-PSAutorun                                      14.0.2     AutoRuns
Function        New-AutoRunsBaseLine                               14.0.2     AutoRuns

<a name="Help"/>

Find the syntax

Get-PSAutorun

# View the syntax of Get-PSAutorun
Get-Command Get-PSAutorun -Syntax

Get-PSAutorun [-All] [-BootExecute] [-AppinitDLLs] [-ExplorerAddons] [-ImageHijacks] [-InternetExplorerAddons] [-KnownDLLs] [-Logon] [-Winsock] [-Codecs] [-OfficeAddins] [-PrintMonitorDLLs] [-LSAsecurityProviders] [-ServicesAndDrivers] [-ScheduledTasks] [-Winlogon] [-WMI] [-PSProfiles] [-ShowFileHash] [-VerifyDigitalSignature] [-User <string>] [<CommonParameters>]

Get-PSAutorun [-All] [-BootExecute] [-AppinitDLLs] [-ExplorerAddons] [-ImageHijacks] [-InternetExplorerAddons] [-KnownDLLs] [-Logon] [-Winsock] [-Codecs] [-OfficeAddins] [-PrintMonitorDLLs] [-LSAsecurityProviders] [-ServicesAndDrivers] [-ScheduledTasks] [-Winlogon] [-WMI] [-PSProfiles] [-Raw] [-User <string>] [<CommonParameters>]

New-AutoRunsBaseLine

# View the syntax of New-AutoRunsBaseLine
Get-Command New-AutoRunsBaseLine -Syntax

New-AutoRunsBaseLine [-InputObject] <Object[]> [[-FilePath] <string>] [-WhatIf] [-Confirm] [<CommonParameters>]

Compare-AutoRunsBaseLine

# View the syntax of Compare-AutoRunsBaseLine
Get-Command Compare-AutoRunsBaseLine -Syntax

Compare-AutoRunsBaseLine [[-ReferenceBaseLineFile] <string>] [[-DifferenceBaseLineFile] <string>] [<CommonParameters>]

View examples provided in the help

Get-PSAutorun

# Get examples from the help
 Get-Help Get-PSAutorun  -Examples

NAME
    Get-PSAutorun

SYNOPSIS
    Get Autorun entries.

    -------------------------- EXAMPLE 1 --------------------------

    PS C:\>Get-PSAutorun -BootExecute -AppinitDLLs

    -------------------------- EXAMPLE 2 --------------------------

    PS C:\>Get-PSAutorun -KnownDLLs -LSAsecurityProviders -ShowFileHash

    -------------------------- EXAMPLE 3 --------------------------

    PS C:\>Get-PSAutorun -All -ShowFileHash -VerifyDigitalSignature

    -------------------------- EXAMPLE 4 --------------------------

    PS C:\>Get-PSAutorun -All -User * -ShowFileHash -VerifyDigitalSignature

New-AutoRunsBaseLine

# Piping the filtered output of the Get-PSAutorun to the New-AutoRunsBaseLine function will create a .ps1 file in ~/Documents
Get-PSAutorun -VerifyDigitalSignature |
Where { -not($_.isOSbinary)} |
New-AutoRunsBaseLine -Verbose

# On Windows PowerShell, you can use the Out-GridView cmdlet to run and view the content of the file created
~\Documents\PSAutoRunsBaseLine-20201102214715.ps1 |
Out-GridView -PassThru

Compare-AutoRunsBaseLine

# You need two files in ~/Documents generated by the New-AutoRunsBaseLine function
Compare-AutoRunsBaseLine -Verbose

<a name="Issues"/>

Issues

• What are registrations in the WMI\Default namespace introduced in Autoruns v13.7? see c7eab48c77f578e0dcff61d2b46a479b28225a56

• If you run PowerShell 5.1 and Applocker in allow mode, you need to add a local appplocker rule that allows the module to be loaded. The module files aren't signed anymore with a DigiCert certificate.

If your corporate admin has turned off local group policy objects processing on a domain joined device, you'll need to add the trusted publisher rule in a Domain group policy.

gp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -Name DisableLGPOProcessing -EA 0

<a name="Todo"/>

Todo

Coding best practices

• [x] Use PSScriptAnalyzer module to validate the code follows best practices
• [x] Write Pester tests for this module

OS and Software compatibility

• [x] Test the module in PowerShell Core 7.x (latest)
• [ ] Test the module on various versions of Windows 10
  • [x] 21H2
  • [x] 22H2
• [x] Test the module on various versions of Windows 11
  • [x] 21H2
  • [x] 22H2
• [ ] Review Office Add-ins code with Office x86 and x64 versions

General improvements

• [ ] Write a better implementation of the internal Get-RegValue function
• [ ] Review and improve regex used by the internal Get-PSPrettyAutorun function (ex: external paths)

New features

• [x] Replace HKCU and add an option to specify what user hive is being investigated
• [ ] Add timestamps on registry keys
• [ ] Analyze an offline image of Windows
• [x] Create a baseline of artifacts
• [x] Compare two baselines of artifacts

Help

• [ ] More examples
• [ ] Use external help?
• [ ] Internationalization?
• [ ] Copy the changelog at the end of the module in README.md
• [x] Document issues and write a pester tests to validate the module behavior if fixed

<a name="Credits"/>

Credits

Thanks go to:

• @LeeHolmes:
  • Improving common parameters 7fe8e7ea983325b5543da1300cb8a4636c7062ef
  • Filtering OS binaries 8efb0fad4585ecd4517b55ff5b5cec91f7dd364a

Get-PSAutorun -VerifyDigitalSignature | ? { -not $_.IsOSBinary }

<a name="AutorunsDoc"/>

Other links

• https://live.sysinternals.com
• https://docs.microsoft.com/en-us/sysinternals
• https://docs.microsoft.com/en-us/archive/blogs/sysinternals

<a name="AutorunsHistory"/>

Original Autoruns.exe from Mark Russinovich

Autoruns v14.1

This update to Autoruns, a utility for monitoring startup items, fixes a bug with detecting non-shortcut files in startup folders, fixes a bug with handling non-UNC, non-absolute paths, and improves theming support.

Autoruns v14.09

This Autoruns update fixes a bug preventing the enabling/disabling of startup folder items.

Autoruns v14.08

This Autoruns update fixes a series of application crashes, now correctly parses paths with spaces passed as command line arguments and improves .arn import functionality.

Autoruns v14.07

This Autoruns update can open .arn files from the command line, fixes RunDll32 parameter handling in some cases, supports toggling Active Setup entries, fixes a crash when no ProcExp can be found in the path and improves 32/64 bit redirection.

Autoruns v14.06

This Autoruns release fixes a crash happening for scheduled tasks containing spaces.

Autoruns v14.05

This update for Autoruns addresses a bug preventing opening and comparing .arn files.

Autoruns v14.04

This update for Autoruns adds a series of display/theme fixes, restores autorunsc, fixes a regression for rundll32 entries, limits p