If you would like to read the other parts in this article series please go to:
- Hunt Down and Kill Malware with Sysinternals Tools (Part 1)
- Hunt Down and Kill Malware with Sysinternals Tools (Part 3)
In part 1 of this series, I recapped some of what I learned from Mark Russinovich at this year’s MVP Summit, in regard to using Process Explorer to find suspicious processes that might indicate malware running on your system. This month in Part 2, I will talk about how you can use the Autoruns tool to find malware that boots at startup.
The next tool we’re going to look at is Autoruns, which shows you what programs are set up to run during the system bootup and login process. It’s very configurable, allowing you to display not only the programs in the startup folder and registry keys Run and RunOnce, but also Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, autostart services and a lot more. And it shows them in the order in which they’re processed by Windows. You can also disable startup programs directly from within Autoruns. The current version is 10.07. It runs on Windows XP/Server 2003 and above, and you can download it here.
The command line version is autorunsc, which is also included in the download. Both are downloaded as executables in a zipped file, along with a help file (autoruns.chm). As you can see in Figure 1, the program is much more comprehensive than the built-in Windows tool MSConfig.
At first glance, you might find the interface a little overwhelming. There are 18 different tabs across the top.The first tab, appropriately labeled “Everything,” shows you all of the types of programs and services that are configured to run at startup. You’ll probably be amazed (and a little appalled) at the number you see here. Unlike MSConfig, Autoruns doesn’t require administrative privileges.
The additional tabs let you view the information sorted into categories, including:
- Explorer (context menus, shell extensions, etc.)
- Internet Explorer (toolbars, browser helper objects)
- Scheduled Tasks (processes that run in the background based on triggered events)
- Services (Windows entries are hidden by default)
- Print Monitors
- LSA Providers
- Network Providers
- Sidebar Gadgets
- Boot Execute
- Image Hijacks
- Winsock Providers
Most of the above are probably pretty familiar to you. One you might not recognize off the bat is AppInit. The AppInit_DLLs value is used when the main window manager DDL (User32.dll) loads into a process. Because all graphical (not command line) Windows programs load the DLL that’s listed in this value, AppInit_DLLs are often targeted by malware writers, as Mark explains in his blog post, The Case of the Malicious Autostart.
Another tab that might need a bit of explanation is Image Hijacks. This refers to using Image File Execution options in the Windows registry to redirect a process loading by mapping the executable name and thus load a completely different process. Dana Epps wrote about this way back in 2005 in his blog post Using Image File Execution options as an Attack Vector on Windows.
What you can do with Autoruns
Note that all of the entries you see in Autoruns are not necessarily programs that are running at the time – they’re the programs that are configured to run automatically. To find out whether an item is currently running, you can right click it and select Process Explorer. Assuming you have Process Explorer installed, this will open it so you can view the properties dialog box for the process there. Also note that if Process Explorer is running with admin privileges and you’re running Autoruns with standard user privileges, this action will fail because Autoruns won’t be able to communicate with Process Explorer.
One of my favorite features of Autoruns is the “Jump to” option. If you right click on an entry, you can select “Jump to” as shown in Figure 2 and the registry editor will open up to the location of that item.
You’re likely to run across some entries that you can’t readily identify from the name/description/publisher information. You can use the “Search online” option to automatically open up your web browser to your search engine page with the entries for that search term. This is one way to help determine whether one of these startup items is associated with malicious software.
Another extremely useful feature is found in the File menu. Here you’ll see an option for “Compare…”. Using it effectively takes some forethought, because you need to have used the File | Save option to save an Autoruns file (.ARN file extension) before you started having problems. If you did that, you can use the Compare option to highlight new entries on the Autoruns list, to help you narrow down the malware suspects.
To make things more manageable, you can select to Hide entries that are identified as Microsoft software (this selection is in the Options menu). However, it’s not necessarily a good idea to do so, as it’s easy for Malware authors to mislabel their code as originating from Microsoft. So you need to verify the digital signature in order to know for sure that it’s really from Microsoft. To do that for a specific entry, select Verify from the Entry menu (or press CTRL + V). There is also an option to Verify Code Signatures in the Options menu.
Another advantage of Autoruns in comparison to MSConfig is that it will show you the autostart entries per user. More and malware these days is exploiting standard user accounts by writing to HKEY_CURRENT_USER locations. With Autoruns, you can pick the username of the account you want to view from the User menu. This will allow you to find malware that is in the registry under the other user’s account.
Autoruns can even analyze offline systems, which will aid in detecting rootkits. You’ll find this option in the File menu. You enter the system root directory of the system that’s offline, as well as the user profile that you want to examine. Note that you can use Autorunsc (the command line version of Autoruns) along with another Sysinternals tool, psexec, to view the autostart entries on a remote machine.
Removing Autoruns entries
It’s important to understand the options for removing items that you find in Autoruns. You have two ways to do this within Autoruns:
- Select the item in the list and click the Delete button (red X) in the toolbar, or press the Delete key on the keyboard. This does not delete the associated files and it does not stop the process if it’s currently running. It only modifies the registry value that instructs Windows to run it automatically.
- You can also temporarily remove an item from startup by unchecking the checkbox next to it. When you do this, it is removed from the Run key in the registry, and stored in a subkey “AutorunsDisabled” so that you can enable it again by checking the checkbox.
Note that in some cases, you might need to restart the process, log out and log back in, or even reboot the computer in order for the change to take effect.
The free Sysinternals tools are invaluable aids for anyone who wants to delve deeply into the hunt for malicious code and eliminate it from your systems. You can download them free from the Microsoft TechNet web site, and if you really want to ramp up on how to use them most effectively, check out Mark’s book (with Aaron Margosis), Windows Sysinternals Administrator’s Reference, which is published by O’Reilly and came out in June 2011.
This month, we focused on Autoruns, which makes it easy for you to find out just about anything you could want to know about the programs and services that are configured to start automatically, and helps you to detect whether those processes are legitimate or may be malware. Next month in Part 3, we’ll take a look at how to use Process Monitor to trace malware activity and how you can remove malware from your system once you’ve tracked it down, as well as what to do if the Sysinternals tools won’t run.
If you would like to read the other parts in this article series please go to: