Autoruns offline analysis and other resources

From IAmA a malware coder and botnet operator, AMA:

---------

Autoruns Analyze Offline System Option

---------

From ASEPMonitor (free):

---------

From hxxp://idsmonitor.narod.ru/indexen.html (free):

---------

Paper "Utilizing AutoRuns To Catch Malware": direct pdf download hxxps://www.sans.org/reading-room/whitepapers/malicious/utilizing-autoruns-catch-malware-33383 (contains a script for comparison)

 

Discussion for ASEPMonitor: http://forum.sysinternals.com/new-companion-program-for-autorunscexe_topic28663.html.

 

Using File Compare in Autoruns to Diagnose Changes in Startups

Note: v11.70 has bug in comparison feature that results in highlighting some non-changes as changes. v11.42 doesn't have this bug.

 

Hiren's BootCD has Autoruns and thus can be used to analyze a non-booted operating system.

I tried using Autoruns to compare the autostarts of the same system when booted vs. non-booted, but it didn't work well; same with Autorunsc.

Autorunsc has an option to list file hashes of autostart entries .

 

I did that as well on my XP, and using a custom made BartPE CD and everything was fine. What went wrong for you?

 

Autoruns: everything shows as "different"
Autorunsc: one output file has about 1000 lines, while the other has about 775 lines (for the same account); also, there are some intra-line format differences as well.

Are you using Autoruns or Autorunsc? Which version? If Autorunsc, what parameters do you use?

 

This is more or less what winpatrol does, right?

 

Yes, but Autoruns also has the ability to do offline system analysis (handy for rootkit-hidden autostart entries).

I have been doing periodic Autoruns snapshot comparisons (non-offline) for years. I also do snapshot comparisons with What's Running.

 

I tried online vs offline again. Autoruns 11.70 shows every item as a difference, while 11.42 and 11.34 show some items as differences.

 

Comodo Autorun Analyzer (part of Comodo Cleaning Essentials) also has an option to analyze offline systems. It doesn't have snapshot comparison, but it does check autostart entries with its cloud database.

Any other similar programs with offline analysis ability?

 

HiJackfree is similar to comodo CE

 

You made me curious. I will try it again and post the results. Stay tuned

Later edit: I checked on a VM using Autoruns 11.70, and you are right; Autoruns cannot be used reliably as a comparison tool because it says that every item counts as a difference. By looking at the text list that it exports, I was able to see what is the problem: for some reason (bug?) Autoruns reads each registry entry's time stamp wrongly in the offline analysis. This makes it believe that every entry is different, even if in reality they are not.
As a conclusion Autoruns remains a good offline inspection tool, but only if you are willing to check the results yourself.

 

WhatInStartup and ServiWin can do offline analysis.

 

Did any try this app. ASEPMonitor?

it doesn't seem to work for me.i ran it "run as administrator" and it will display "Please wait. WinBatch Processing Window..." for some time and then exit without any message or error.and sometimes this ""Please wait. WinBatch Processing Window..." will stay for a very long time and i will have to kill it from task manager.

i am using windows 7 64bit.
Does anyone know any other app or way which can do automatic analysis of all startup items at regular intervals and display alert if some extra items are found?

 

Do these have automatic compare and alert feature? or are they like sysinternals autorun tool only?

 

WinPatrol.

WhatInStartup and ServiWin are manually-run tools.

 

Thanks MrBrian

WinPatrol looks like a nice tool to have on a system

 

You're welcome .

I periodically manually compare Autoruns snapshots (of the computer currently running, unlike this thread topic) to spot new such items.