- Understanding what Sysinternals Autoruns is, what it analyzes, and why it offers the most comprehensive view of the Boot de Windows.
- Learn how to use Autoruns and Autorunsc to check startup locations, filter suspicious entries, and rely on VirusTotal.
- Apply Autoruns along with other Sysinternals tools in forensic analysis, persistence detection, and malicious process review.
- Learn best practices for secure downloading, signature verification, and false positive management when working with Autoruns.
Sysinternals Autoruns has become one of the essential tools For anyone who wants to know what the heck is loading into their Windows at startup, whether out of curiosity, for performance reasons, or for hunting malware It sneaks in without asking permission. It's not another "magic cleaner," but a very powerful forensic utility that shows you every last corner where a program can hook in to run automatically.
If you're concerned that your team has unusual processes, suspicious scheduled tasks, or unsigned binaries, we can help. that start automatically, Autoruns and its online version of commands Autorunsc lets you check all known startup locations, use VirusTotal to verify hashes, and differentiate quite accurately between legitimate and potentially malicious software, including fileless malwareAll of this is offered in an official Microsoft Sysinternals tool, lightweight and portable, designed for both professionals and advanced users.
What is Sysinternals Autoruns and why is it key to detecting malware?
Autoruns is a utility originally created by Mark Russinovich and Bryce Cogswell which offers the most comprehensive inventory of startup locations in Windows. Unlike the typical "Startup" tabs of the Task Manager or basic boot management tools, Autoruns inspects a huge number of persistence points used by both legitimate software and malware.
The tool lists programs, services, drivers, and extensions. These programs start with the system or upon login, in addition to those activated when opening integrated components such as Windows Explorer, Internet Explorer, or certain media players. This includes both common and more obscure paths where malware often hides.
Among the locations that Autoruns is able to check are: the home folders, the Run and RunOnce Registry keys (for all users and per user), numerous additional persistence keys, as well as less obvious items: Explorer shell extensions, toolbars, Browser Helper Objects (BHOs), AppInit DLLs, “image hijacks”, boot images, Winlogon notification DLL, autostart services, Winsock Layered Service Providers (LSPs), multimedia codecs, WMI entries and much more.
In practice, this means that Autoruns goes far beyond any typical startup managerIt offers a comprehensive forensic view of all persistence mechanisms configured on the system. It's ideal for diagnosing malicious boot-up malware or for conducting regular audits on corporate systems.
In addition to the graphical interface, the download package includes AutorunscThe command-line version allows you to export the same data to text, CSV, XML, or tabular formats, facilitating automated work, reports, and integration into analysis or incident response scripts.
Safe download of Autoruns and concerns about false positives
Autoruns is an official tool from Microsoft SysinternalsThe correct way to obtain it without any problems is to download it only from the official Microsoft website or the Sysinternals website itself. The download comes as a very small ZIP file, around 2,8-3 MB, which includes both 32-bit and 64-bit versions, as well as Autorunsc.
It is relatively common for the occasional false positive to appear in services like VirusTotal. When analyzing the ZIP file downloaded from the official website, for example, there have been cases where a single antivirus engine, such as Zillya, labels it as a Trojan of the type “Trojan.Rozena.Win32”, while the rest of the engines (over 70 more) consider it clean. Since it is a well-known tool widely used in professional environments, these isolated results are usually classified as false positives.
When evaluating whether that file is safe to runThe important thing is to verify that the download comes from the official Microsoft Sysinternals URL, validate the executable's digital signature, and, if desired, check the hashes on VirusTotal. A single engine flagging something as malicious while dozens consider it clean, especially considering it's a well-known Microsoft utility, clearly points to a misdetection.
In terms of security, Autoruns is widely used by administrators, forensic analysts, and professionals in ciberseguridadPrecisely because it helps find malware, not introduce it. The key is to download it from the legitimate source and not from dubious third-party repositories.
Key features of Autoruns geared towards malware detection
The main Autoruns window is organized into tabs by category. (Everything, Logon, Services, Scheduled Tasks, Drivers(Internet Explorer, etc.), allowing you to quickly isolate the type of startup you want to review. The "Everything" tab acts as an overview with all entries found in startup folders, shortcuts, Registry keys, and other automatic loading points.
Each entry is accompanied by key information This includes the item name, the full path to the executable or DLL, the publisher (digital signature), the location in the Registry or file system, and the status (enabled or disabled). This complete transparency is very useful for locating both unwanted programs that slow down startup and suspicious binaries that could be malware.
Activating or deactivating items is as simple as checking or unchecking the box. located next to each entry. If you uncheck an item, you stop it from running automatically when Windows starts; if you check it again, you restore it. This reversible mechanism makes it easy to experiment safely: if disabling something breaks a function, you can simply re-enable it.
To completely remove a startup entry (for example, that of a confirmed piece of malware), you can select the item and press the Delete key or use the "Delete" button on the toolbar. This removes the reference to the persistence location (for example, the corresponding Run key) and, if the malicious binary is not properly secured, can prevent it from running again.
A key feature for malware hunting is the "Hide Microsoft entries" option.This feature filters out all entries signed by Microsoft, leaving only third-party software visible. Activating it significantly reduces noise and makes it much easier to locate unusual items you don't remember installing or that belong to unknown or unsigned publishers.
How to download, prepare, and start Autoruns correctly
The Autoruns setup process is very simple and does not require traditional installation.After downloading the ZIP file from the official website, simply save it in a folder of your choice (for example, Downloads) and decompress its contents with the built-in Windows decompressor or any similar tool.
When you extract the ZIP file, you will see several executable files.This typically includes Autoruns.exe (32-bit), Autoruns64.exe (64-bit), and Autorunsc.exe for the command-line portion. On modern 64-bit systems, it's common to use Autoruns64.exe to get a complete view of all system entries.
Autoruns is a fully portable applicationIt doesn't write persistent components or install services; it simply runs from the folder where you extracted it. You can carry it on a USB drive and use it on different computers to perform spot scans without leaving any trace beyond the changes you make to the startup entries.
When Autoruns starts, Windows may display a User Account Control (UAC) message. It requests administrator permissions. It's advisable to grant them, because many persistence locations (especially services and system keys) can only be viewed and modified with elevated privileges. If you run it without these permissions, visibility will be limited.
Once the interface is open, Autoruns will automatically begin analyzing the system. And in just a few seconds, it will populate the tabs with the detected entries. There are no installation wizards or complicated initial setups: you can start reviewing items immediately.
Practical use of Autoruns to locate and analyze malware
To investigate the possible presence of malware, the first step is to check the key tabsThe “Logon” tab shows the programs that start when you log in; “Services” shows the services and drivers configured to start with the system; “Scheduled Tasks” lists scheduled tasks, a very common mechanism for malicious persistence; “Drivers” details the installed drivers, and other tabs such as “Explorer” or “Internet Explorer” reveal extensions that load on these components.
A good initial strategy is to activate “Hide Microsoft entries” and, if possible, show only unsigned items.This is managed from the Options menu, where you can also enable digital signature verification and VirusTotal integration. By narrowing the view to third-party software, binaries of dubious origin that would otherwise remain buried among dozens of legitimate Windows components are revealed.
If you detect a suspicious entry, you can thoroughly inspect it from within Autoruns itself.Select the relevant line and use the "Properties" menu or the toolbar button to view file details: path, version, publisher, size, dates, etc. If you have Process Explorer and VirusTotal When opened, Autoruns can even bind to it to display the properties of the running process that uses that binary.
Another extremely useful feature is the “Jump to Entry” menu.This takes you directly to the Registry key or file folder where the persistence of the selected item is defined. This allows you to see for yourself the key the malware has created, or the exact path where the binary has been placed, enabling you to act more precisely and in coordination with other tools (for example, delete suspicious files (from an offline session).
Integration with VirusTotal adds an extra layer of verificationFrom the scanning options, you can instruct Autoruns to send the hashes of the listed files to the VirusTotal service, displaying the result (count of engines that flag it as malicious) in an additional column. You can also request that it upload previously unscanned files, although keep in mind that the results may take a few minutes to become available.
Autorunsc: Persistence analysis from the command line
Autorunsc is the console version of Autoruns It's designed for advanced users, scripting, server automation, and report generation. It offers the same entry enumeration capabilities as the initial one, but in text format, with the ability to filter by categories, export results, and run additional checks.
The basic syntax of Autorunsc allows you to select which types of AutoStart entries you want to list. using the -a parameter, followed by a set of letters representing different categories. For example, b for boot images, d for AppInit DLLs, e for Explorer plug-ins, h for hijacked images, i for Internet Explorer plug-ins, l for logins, m for WMI entries, n for Winsock protocols and network providers, o for codecs, p for printer monitors, r for LSA security providers, s for autostart services and drivers, t for scheduled tasks or Winlogon entries, etc. Using * indicates that you want all categories.
With the output modifiers you can adapt the format to your needsThe `-c` option generates CSV output, `-ct` uses tabs, `-x` produces XML, and `-t` adds normalized timestamps in YYYYMMDD-hhmmss (UTC) format. These options are very useful for feeding correlation systems, spreadsheets, or SIEM tools.
Regarding security verification, Autorunsc supports parameters for checking digital signatures and VirusTotal.The -s option validates signatures, -m hides entries signed by Microsoft (similar to GUI filtering), -h displays file hashes, and -v (with variants like -vr or -vs) queries VirusTotal using the hash to determine if it's considered malware. With -u you can focus on unknown files or those with non-zero detections, or simply show unsigned binaries if you don't use VirusTotal.
Before using the VirusTotal integration from the command lineYou must accept the terms of service using the -vt parameter; if you omit them, you will be prompted interactively the first time. You can also specify an offline Windows system to scan (for example, an installation mounted from another partition) with -z, or specify a particular user or * to scan all profiles, which is very useful in corporate environments with multiple users per machine.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.