top of page
Search

Understanding AutoStart Persistence in Windows: Key Locations and Detection Methods

  • Jan 19, 2024
  • 3 min read

Updated: Feb 12

Updated on 12 Feb,2025

Windows provides numerous ways for applications—and unfortunately, malware—to persist on a system. These persistence mechanisms, officially known as AutoStart Extension Points (ASEPs), allow programs to execute automatically when a system boots or when a user logs in. While these features are essential for legitimate software, they are also frequently exploited by attackers to maintain access to compromised machines.


Why Are ASEPs Important?

The sheer number of ASEPs in Windows makes securing the system a challenge. Malicious programs can place references to themselves in various locations to ensure they run persistently. Many of these locations are found within the Windows Registry, offering a somewhat centralized place for forensic investigators to check. However, with hundreds of thousands of registry keys on a typical system, identifying malicious persistence is no small task.



Common Registry-Based AutoStart Locations

Among the many ASEPs available, the "Run" keys in the Windows Registry are the most commonly abused by attackers. These keys execute listed applications when a user logs into their system:


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


When an attacker inserts a reference to a malicious executable in one of these keys, it will launch every time the user logs in, providing persistent access.



The Userinit Key: A Lesser-Known but Dangerous ASEP

Another powerful ASEP is the Userinit key, located at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

This key typically contains a reference to userinit.exe, which is responsible for launching explorer.exe after a user logs in. However, an attacker can modify this key to add a malicious executable:


C:\Windows\system32\userinit.exe, C:\Temp\winsvchost.exe

By adding their payload here, attackers ensure that their malware is executed as soon as a user logs in, even before the desktop fully loads.


File System-Based AutoStart Locations

Attackers often abuse locations within the file system that do not require administrative privileges. One of the most effective and widely used methods is placing malicious shortcuts in the Startup folder:


%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup


Any executable or shortcut placed in this folder will launch automatically upon user login. This technique is commonly used in phishing attacks where a malicious file is dropped into this directory, ensuring execution without the need for elevated permissions.



Detecting and Analyzing AutoStart Entries

Given the wide range of ASEPs, forensic analysts and incident responders rely on specialized tools to detect and analyze suspicious entries.


Some of the best tools for this task include:

  • Registry Explorer – Allows deep exploration and analysis of Windows Registry hives, making it easier to locate malicious entries.

  • RegRipper – A powerful tool with plugins designed to extract known ASEPs quickly.

  • Autoruns – A Microsoft Sysinternals tool that provides a comprehensive view of all AutoStart locations on a system.

  • Kansa – A PowerShell framework useful for collecting registry and filesystem persistence indicators across multiple systems, enabling large-scale detection.


As for tools:

Kansa is out of date very less people are using. If you ask me what is the best tool and did i created an article to parse these location automatically and analyse them. My answer is Hell yeah!


Tool called RECmd is best tool which automate the process.
Check out the article link below!



Conclusion

AutoStart Extension Points are a double-edged sword: they enable seamless operation of legitimate applications but also provide an easy way for malware to persist. Understanding the most commonly exploited ASEPs and utilizing forensic tools to monitor them can significantly improve security posture. Whether you're an incident responder, a forensic analyst, or an enthusiast looking to improve your cybersecurity knowledge, mastering ASEP analysis is a crucial skill in defending against persistent threats.



------------------------------------------Dean-------------------------------------------------------------

 
 
 

Комментарии

bottom of page