How to Use Autoruns to Detect and Remove Malware on Windows

Understanding how to use Autoruns means you may be able to detect if your home PC is infected with unwanted software.

Note: This article is intended to illustrate how malware can be identified on a home laptop or PC. For identifying and removing malware within an organization your Incident Response plan should be followed.

• What is Autoruns?
• Autoruns: The Basics
• How to Use Autoruns to Identify Suspicious Software
• How to Use Autoruns to Remove Malware
• Tips for Using Sysinternals Autoruns

What is Autoruns?

Autoruns is a Microsoft tool that identifies software configured to run when a device is booted, or a user logs into their account. Legitimate software will often launch when a machine is powered on — Outlook is a prime example as users checking their email is often the first thing people do when logging onto their device.

If a device has been compromised, then any installed malware will also need to be able to survive a reboot. Once a machine is powered down, the malware needs a mechanism to continue running on the device. To do this, it can make use of many legitimate Windows features that allow the software to launch at boot.

Autoruns: The Basics

In the image below, we can see that Autoruns is made up of multiple tabs that each contain data regarding an autostart mechanism.

The Logon tab displays information for standard startup locations for all users on the device. This includes program startup locations and also relevant run keys. A run key is part of the device’s Registry — malware will often create a run key so that when a device is booted the malware will automatically be launched.

The Explorer tab displays information on the following items:

• Shell extensions – These are individual plugins for Windows Explorer, one example of this is being able to preview a PDF file.
• Browser Helper Objects – DLL modules that act as plugins for Internet Explorer.
• Explorer Toolbars – These are third-party plugins for Internet Explorer, the toolbar will give you access to the third party’s platform.
• Active Setup Executions – A mechanism for executing commands once per user during login.

The Internet Explorer tab displays Browser Helper Objects, Internet Explorer toolbars, and extensions.

Scheduled Tasks displays tasks that are configured to start at boot or login and is a common technique used by various malware families.

The Services tab displays all Windows services that are scheduled to run automatically when a device boots.

Drivers allow a piece of hardware to communicate with the device’s operating system. The Drivers tab in Autoruns displays all registered drivers on the device except the ones which have been disabled.

Image Hijacks are quite sneaky in that the Windows registry has a key to launch a certain process but instead is redirected to launch a different malicious process.

AppInit DLLs shows DLLs registered as application initialization DLLs.

The Boot Execute tab displays startup locations that are associated with the session manager subsystem (smss.exe).

Known DLLs in Windows are kernel32.dll, ntdll.dll, and allows software to import certain functionality. Some malware will install malicious DLLs that have been crafted by a malware author, these may be located in locations you wouldn’t expect to find legitimate Windows DLLs such as temp folder locations.

Winlogon is used when a user logs into a Windows device. This tab displays DLLs that register for notifications of Winlogon events.

The Winsock Providers tab shows registered Winsock protocols. Winsock, or Windows Sockets, allows programs to connect to the internet. Malware may install itself as a Winsock provider as they can be difficult to remove. Autoruns can disable them but not delete them.

Print Monitors displays DLLs that load into the print spooling service. Malware could leverage this by installing a malicious DLL.

Windows Local Security (LSA) Providers support processes that are related to security and authentication

How to Use Autoruns to Identify Suspicious Software

We now have a good understanding of what Autoruns can detect, however, the screenshots we have seen so far only contain entries for legitimate software. How do we know if a program listed in Autoruns is a trusted piece of software or if it’s something that warrants further investigation such as a piece of malware?

In the above image, we can see that under the ‘Logon’ tab highlighted in red a run key has been created for a file called ‘ARP Service’, which can be found in the following location within the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This is a common persistence mechanism used by malware to survive a reboot. We can also see that under the ‘Description’ and ‘Publisher’ column these fields are empty. Although the lack of a description does not mean a file is malicious, the fact it is not signed and lacks a publisher means it is certainly worth investigating.

From looking at the ‘Image Path’ column, we can see where the software is installed. In this instance, the file is located in ‘program files\arp service\arpsv.exe’.

A quick search in Google only returns two results for this file path which doesn’t give me a lot of confidence that it is legitimate software.

Under the scheduled tasks tab we can also see two listings that relate to the ARP Service software we have identified.

By right-clicking on a file of interest we can submit the file to the website virustotal.com. Virustotal is a database of malware that reports on whether a file is recognized as malicious by multiple antivirus vendors.

Once the file has been submitted, the ‘Virus Total’ column will then display how many antivirus vendors have categorized the file as malicious. In the image below we can see that 55/76 vendors have a signature in place that detects this file as malicious.

When trying to identify malware using Autoruns here are some key tips to consider:

• Google is your friend! If you’re unsure, search for the filename and location. Ask yourself: is this a recognized piece of software and is it running from an expected location?
• Check the description for tell-tale signs such as incorrect grammar or seemingly randomly generated descriptions — this could indicate that Autoruns has located software that you may want to take a closer look at.
• Look for temporary directories. Malware will often install itself to temporary folders on the filesystem. If you have a piece of software that is set to launch when a device boots then why is it in a temporary folder?
• Hash the file and check virustotal.com. If malware has been installed with Admin privileges then it could be stored anywhere on disk. Confirm if a file is malicious by checking on virustotal.

How to Use Autoruns to Remove Malware

First, confirm the malware is running on your device which can be done by opening Task Manager. However, I recommend using Process Hacker which is one of my go-to tools for analyzing malware. Once downloaded, right-click on the Desktop icon and select ‘Run as Administrator’.

Once Process Hacker is running, we can now locate the malware that is running on the device.

By right-clicking on the malware we have the option to locate the file on disk by selecting ‘Open file location’.

This then opens the file path in Windows Explorer.

By dragging this file into a tool such as PeStudio we can grab the hash of the file.

Bf48a5558c8d2b44a37e66390494d08e

Navigating to virustotal and performing a search of the hash will show that this is a RAT (Remote Access Trojan) known as Nanocore.

To stop the malware from running, right click on the process name and select ‘Terminate’.

Then confirm the termination of the process by selecting ‘Terminate’.

In Autoruns, the persistence mechanisms used to start the malware can then be deleted by right-clicking and selecting ‘Delete’.

Confirm the deletion by selecting ‘Yes’. Repeat this process for any additional persistence mechanisms that have been identified.

The malware can now be deleted from Windows Explorer.

Tips for Using Sysinternals Autoruns

I strongly advise against using Autoruns as your only form of detecting and removing malicious software. If you have detected and removed a piece of malware using these techniques then you may want to consider the following points:

Do you have backups of your files and data? If a device has been compromised then there is a strong possibility that other malware could be on the device. Having backups in place means your device can be rebuilt giving your confidence the threat has been fully remediated.

What Antivirus software do you have in place if any? If you have some form of AV in place and you have still been infected, then your security controls have failed and it may be a good time to reconsider investing in something that will give you confidence your data is protected.

Use Autoruns compare function to make it easy to check for any unwanted software that is persisting on your device. You can do this by running Autoruns on a clean device, selecting ‘File’ and then ‘Save’.

The output will now be saved as an ‘AutoRuns Data’ file using the extension ‘.arn’Autoruns. In the example below I have saved the output as ‘clean’.

You can now compare this output to any future scans you perform with Autoruns. To do this select ‘File’ and then ‘Compare’.

In the example below I am selecting the output that I named ‘Clean’.

Autoruns will then only display any new software that has created a persistence mechanism. This is handy for filtering out legitimate software from a clean install.

I mainly use Autoruns for analyzing malware, however, within this article we have demonstrated how it can detect multiple ways that malicious software will try and persist on your device.

What I also really like about Autoruns is the price! There are a wealth of free tools out there that can help you with not only malware analysis but also a sysadmin, so be sure to check out this article which covers 21 free tools every sysadmin should know.

If the threat of malware going undetected in your organization is a concern then head over to the Varonis website to see how we stop a live attack and also see a demo of our Threat Detection Response.