Search the Community

Auto(it)Runs This script utilizes the sysinternals autorunsc command-line tool to scan and analyze autorun entries on a Windows system. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns The script's primary function is to extract information from the autorunsc.exe scan results, to Autoit, which can be used for various purposes and understanding system startup behavior. Using the $STDOUT stream and not the -c switch (Print output as CSV), so that you don't have to export the data to disk every time I explored it experimentally, and these are the results. ; https://www.autoitscript.com/forum/topic/213070-autoitruns/ ;---------------------------------------------------------------------------------------- ; Title...........: Auto(it)Runs.au3 ; Description.....: This script utilizes the sysinternals `autorunsc` command-line tool ; to scan and analyze autorun entries on a Windows system. ; The script's primary function is to extract information from the autorun scan results, ; which can be used for various purposes and understanding system startup behavior. ; AutoIt Version..: 3.3.16.1 Author: ioa747 Script Version: 0.9 ; Note............: Testet in Win10 22H2 Date:10/08/2025 ;---------------------------------------------------------------------------------------- #AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7 #RequireAdmin #include <GUIConstantsEx.au3> #include <EditConstants.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include <AutoItConstants.au3> #include <StringConstants.au3> #include <ListViewConstants.au3> #include <GuiListView.au3> Example() ;--------------------------------------------------------------------------------------- Func Example() Local $sCMD = CreateCmdGUI() ConsoleWrite("$sCMD=" & $sCMD & @CRLF) Local $aEntries = AutorunSnapshot($sCMD) If @error Then ConsoleWrite("! @error:" & @error & " " & $aEntries & @CRLF) Local $iPos = StringInStr($sCMD, '-o "') ; check if -o Switch in $sCMD then execute the output file If $iPos > 1 Then ShellExecute(StringLeft(StringTrimLeft($sCMD, $iPos + 3), StringInStr(StringTrimLeft($sCMD, $iPos + 3), '"') - 1)) Else DisplayGUI($aEntries, "Autorun Entries") EndIf EndFunc ;==>Example ;--------------------------------------------------------------------------------------- Func CreateCmdGUI() ; Optional GUI to build the autorunsc cmdline ; Switches for the "-a" group (Group A) Local $aGroupA[18][3] = [ _ [0, "*", "All"], [0, "b", "Boot execute"], [0, "c", "Codecs"], _ [0, "d", "Appinit DLLs"], [0, "e", "Explorer addons"], [0, "g", "Sidebar gadgets"], _ [0, "h", "Image hijacks"], [0, "i", "Internet Explorer addons"], [0, "k", "Known DLLs"], _ [0, "l", "Logon startups (default)"], [0, "m", "WMI entries"], [0, "n", "Winsock protocol"], _ [0, "o", "Office addins"], [0, "p", "Printer monitor DLLs"], [0, "r", "LSA security providers"], _ [0, "s", "Services & non-disabled drivers"], [0, "t", "Scheduled tasks"], [0, "w", "Winlogon entries"] _ ] ; Switches for other parameters (Group B) Local $aGroupB[12][3] = [ _ [0, "-ct", "Print as tab-delimited"], [0, "-c", "Print as CSV"], [0, "-x", "Print output as XML"], _ [0, "-o", "Write output to the file."], [0, "-h", "Show file hashes."], [0, "-m", "Hide Microsoft entries"], _ [0, "-t", "Show timestamps in normalized UTC."], [0, "-s", "Verify digital signatures"], _ [0, "-u", "Show unsigned/unknown files"], [0, "-vrs", "VirusTotal check & upload"], _ [0, "-nobanner", "Do not show startup banner"], [0, "*", "Scan all user profiles"] _ ] ; Create the Autorunsc GUI GUICreate("Autorunsc GUI", 600, 560) GUISetFont(9, 400, 0, "Tahoma") ; Create the input box for the command GUICtrlCreateLabel("Generated Command:", 10, 10, 200, 20) Local $idInputbox = GUICtrlCreateInput("", 10, 30, 580, 25, $ES_AUTOHSCROLL) GUICtrlSetState($idInputbox, $GUI_DISABLE) ; Create the input box for the output file Local $idLblOutFile = GUICtrlCreateLabel("Output file:", 310, 420, 200, 20) GUICtrlSetState(-1, $GUI_HIDE) Local $idOutFile = GUICtrlCreateInput("output.txt", 310, 440, 260, 20) GUICtrlSetState(-1, $GUI_HIDE) Local $idExecuteButton = GUICtrlCreateButton("Execute", 420, 500, 140, 25) ; Create Group 1 for "-a" switches on the left GUICtrlCreateGroup("Autostart Entry Selection (-a)", 10, 70, 280, 480) Local $iX = 20, $iY = 90 For $i = 0 To UBound($aGroupA) - 1 $aGroupA[$i][0] = GUICtrlCreateCheckbox($aGroupA[$i][1] & " (" & $aGroupA[$i][2] & ")", $iX, $iY, 260, 20) $iY += 25 Next ; Set default selections in (Group A) GUICtrlSetState($aGroupA[1][0], $GUI_CHECKED) ; -a b GUICtrlSetState($aGroupA[9][0], $GUI_CHECKED) ; -a l GUICtrlCreateGroup("", -99, -99, 1, 1) ; Close the group ; Create Group 2 for other switches on the right GUICtrlCreateGroup("Other Options", 300, 70, 290, 330) $iX = 310 $iY = 90 For $i = 0 To UBound($aGroupB) - 1 $aGroupB[$i][0] = GUICtrlCreateCheckbox($aGroupB[$i][1] & " (" & $aGroupB[$i][2] & ")", $iX, $iY, 260, 20) $iY += 25 Next ; Set default selections in (Group B) GUICtrlSetState($aGroupB[11][0], $GUI_CHECKED) ; * user profiles GUICtrlCreateGroup("", -99, -99, 1, 1) ; Close the group GUISetState(@SW_SHOW) Local $nMsg, $bNeedUpdate = True While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE ExitLoop Case $aGroupA[0][0] ; Handle the "All" checkbox logic If GUICtrlRead($aGroupA[0][0]) = $GUI_CHECKED Then For $i = 1 To UBound($aGroupA) - 1 GUICtrlSetState($aGroupA[$i][0], $GUI_DISABLE) GUICtrlSetState($aGroupA[$i][0], $GUI_UNCHECKED) Next Else For $i = 1 To UBound($aGroupA) - 1 GUICtrlSetState($aGroupA[$i][0], $GUI_ENABLE) Next EndIf $bNeedUpdate = True Case $aGroupA[1][0] To $aGroupA[17][0] ; Handle other "-a" checkboxes If GUICtrlRead($nMsg) = $GUI_CHECKED Then GUICtrlSetState($aGroupA[0][0], $GUI_DISABLE) Else Local $bAnyChecked = False For $i = 1 To UBound($aGroupA) - 1 If GUICtrlRead($aGroupA[$i][0]) = $GUI_CHECKED Then $bAnyChecked = True ExitLoop EndIf Next If Not $bAnyChecked Then GUICtrlSetState($aGroupA[0][0], $GUI_ENABLE) EndIf EndIf $bNeedUpdate = True Case $idOutFile $bNeedUpdate = True Case $idExecuteButton Return GUICtrlRead($idInputbox) Case $aGroupB[0][0] To $aGroupB[11][0] $bNeedUpdate = True EndSwitch If $bNeedUpdate Then Local $sCommand = "" Local $sAGroupSwitches = "" ; Build the string for "-a" switches For $i = 0 To UBound($aGroupA) - 1 If GUICtrlRead($aGroupA[$i][0]) = $GUI_CHECKED Then $sAGroupSwitches &= $aGroupA[$i][1] EndIf Next ; Add the "-a" switch only once if any option is selected If StringLen($sAGroupSwitches) > 0 Then $sCommand &= " -a " & $sAGroupSwitches ; Add switches from Group B For $i = 0 To UBound($aGroupB) - 1 If GUICtrlRead($aGroupB[$i][0]) = $GUI_CHECKED Then $sCommand &= " " & $aGroupB[$i][1] EndIf Next ; if Output file is checked If GUICtrlRead($aGroupB[3][0]) = $GUI_CHECKED Then GUICtrlSetState($idLblOutFile, $GUI_SHOW) GUICtrlSetState($idOutFile, $GUI_SHOW) Local $sOutFile = @ScriptDir & "\" & GUICtrlRead($idOutFile) $sCommand = StringReplace($sCommand, "-o", '-o "' & $sOutFile & '"') ; Set default selections in (Group B) GUICtrlSetState($aGroupB[0][0], $GUI_ENABLE) ; -ct GUICtrlSetState($aGroupB[1][0], $GUI_ENABLE) ; -c GUICtrlSetState($aGroupB[2][0], $GUI_ENABLE) ; -x GUICtrlSetState($aGroupB[4][0], $GUI_ENABLE) ; -h GUICtrlSetState($aGroupB[6][0], $GUI_ENABLE) ; -t GUICtrlSetState($aGroupB[7][0], $GUI_ENABLE) ; -s GUICtrlSetState($aGroupB[8][0], $GUI_ENABLE) ; -u GUICtrlSetState($aGroupB[9][0], $GUI_ENABLE) ; -vrs GUICtrlSetState($aGroupB[10][0], $GUI_ENABLE) ; -nobanner Else GUICtrlSetState($idLblOutFile, $GUI_HIDE) GUICtrlSetState($idOutFile, $GUI_HIDE) ; Set default selections in (Group B) GUICtrlSetState($aGroupB[0][0], $GUI_CHECKED) ; -ct GUICtrlSetState($aGroupB[0][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[1][0], $GUI_UNCHECKED) ; -c GUICtrlSetState($aGroupB[1][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[2][0], $GUI_UNCHECKED) ; -x GUICtrlSetState($aGroupB[2][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[4][0], $GUI_UNCHECKED) ; -h GUICtrlSetState($aGroupB[4][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[6][0], $GUI_CHECKED) ; -t GUICtrlSetState($aGroupB[6][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[7][0], $GUI_UNCHECKED) ; -s GUICtrlSetState($aGroupB[7][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[8][0], $GUI_UNCHECKED) ; -u GUICtrlSetState($aGroupB[8][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[9][0], $GUI_UNCHECKED) ; -vrs GUICtrlSetState($aGroupB[9][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[10][0], $GUI_CHECKED) ; -nobanner GUICtrlSetState($aGroupB[10][0], $GUI_DISABLE) EndIf GUICtrlSetData($idInputbox, $sCommand) $bNeedUpdate = False EndIf WEnd Exit ;Return SetError(1, 0, "") EndFunc ;==>CreateCmdGUI ;--------------------------------------------------------------------------------------- Func AutorunSnapshot($sCmdSwitches = '-a bl -t -ct -nobanner *') ; Extract Entries to array ; https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns ; Make sure autorunsc.exe is located in a subfolder named "Autoruns" in @ScriptDir Local Const $sAutorunscPath = @ScriptDir & "\Autoruns\autorunsc64.exe" ; Verify that autorunsc.exe exists. If Not FileExists($sAutorunscPath) Then Return SetError(1, 0, "! Error: The autorunsc.exe file was not found") ; Usage: autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [-o <output file>] [[-z <systemroot> <userprofile>] | [user]]] ; -a Autostart entry selection: ; * All. ; b Boot execute. ; c Codecs. ; d Appinit DLLs. ; e Explorer addons. ; g Sidebar gadgets (Vista and higher) ; h Image hijacks. ; i Internet Explorer addons. ; k Known DLLs. ; l Logon startups (this is the default). ; m WMI entries. ; n Winsock protocol and network providers. ; o Office addins. ; p Printer monitor DLLs. ; r LSA security providers. ; s Autostart services and non-disabled drivers. ; t Scheduled tasks. ; w Winlogon entries. ; -c Print output as CSV. ; -ct Print output as tab-delimited values. ; -h Show file hashes. ; -m Hide Microsoft entries (signed entries if used with -s). ; -o Write output to the specified file. ; -s Verify digital signatures. ; -t Show timestamps in normalized UTC (YYYYMMDD-hhmmss). ; -u If VirusTotal check is enabled, show files that are unknown ; by VirusTotal or have non-zero detection, otherwise show only ; unsigned files. ; -x Print output as XML. ; -v[rs] Query VirusTotal (www.virustotal.com) for malware based on file hash. ; Add 'r' to open reports for files with non-zero detection. Files ; reported as not previously scanned will be uploaded to VirusTotal ; if the 's' option is specified. Note scan results may not be ; available for five or more minutes. ; -vt Before using VirusTotal features, you must accept ; VirusTotal terms of service. See: https://www.virustotal.com/en/about/terms-of-service/ ; If you haven't accepted the terms and you omit this ; option, you will be interactively prompted. ; -z Specifies the offline Windows system to scan. ; user Specifies the name of the user account for which ; autorun items will be shown. Specify '*' to scan ; all user profiles. ; -nobanner Do not display the startup banner and copyright message. ; Construct the command to run autorunsc.exe ; Local $sCommand = '"' & $sAutorunscPath & '" -a bl -m -t -ct -nobanner *' <<- Default -<< Local $sCommand = '"' & $sAutorunscPath & '" ' & $sCmdSwitches ; $sCmdSwitches = '-a bl -t -ct -nobanner *' ; Run autorunsc.exe Local $iPID = Run($sCommand, "", @SW_HIDE, $STDOUT_CHILD) ; Wait until the process has closed ProcessWaitClose($iPID) ; Read the Stdout stream of the PID Local $sOutput = StdoutRead($iPID) ; Possible ANSI to UTF16 conversion $sOutput = BinaryToString(StringToBinary($sOutput, $SB_ANSI), $SB_UTF16LE) ; <<- important -<< ;ConsoleWrite("$sOutput=" & $sOutput & @CRLF) ; Use StringSplit to split the output of StdoutRead to an array. All carriage returns (@CR) are stripped and @LF is used as the delimiter. Local $aDataArray = StringSplit(StringTrimRight(StringStripCR($sOutput), 1), @LF) If @error Then Return SetError(2, 0, "! Error: It appears there was an error trying to get the STDOUT.") ;_ArrayDisplay($aDataArray) Local $aPart, $aData[UBound($aDataArray)][12], $idx = 0 ; Skip 1st line with header For $i = 2 To UBound($aDataArray) - 1 $aPart = StringSplit($aDataArray[$i], @TAB) If $aPart[0] = 11 Then $idx += 1 $aData[$idx][0] = $idx $aData[$idx][1] = $aPart[1] $aData[$idx][2] = $aPart[2] $aData[$idx][3] = $aPart[3] $aData[$idx][4] = $aPart[4] $aData[$idx][5] = $aPart[5] $aData[$idx][6] = $aPart[6] $aData[$idx][7] = $aPart[7] $aData[$idx][8] = $aPart[8] $aData[$idx][9] = $aPart[9] $aData[$idx][10] = $aPart[10] $aData[$idx][11] = $aPart[11] EndIf Next ;_ArrayDisplay($aData) ReDim $aData[$idx + 1][12] $aData[0][0] = $idx $aData[0][1] = "Time" $aData[0][2] = "EntryLocation" $aData[0][3] = "Entry" $aData[0][4] = "Enabled" $aData[0][5] = "Category" $aData[0][6] = "Profile" $aData[0][7] = "Description" $aData[0][8] = "Company" $aData[0][9] = "ImagePath" $aData[0][10] = "Version" $aData[0][11] = "LaunchString" Return $aData EndFunc ;==>AutorunSnapshot ;--------------------------------------------------------------------------------------- Func DisplayGUI($aItems, $sTitle = "") ; Optional GUI to Display the extracted Entries ; Create GUI GUICreate($sTitle, 1600, 600) Local $idListview = GUICtrlCreateListView("", 2, 2, 1600, 600, -1, BitOR($LVS_EX_FULLROWSELECT, $LVS_EX_CHECKBOXES)) GUISetState(@SW_SHOW) ; ["idx", "Time", "EntryLocation", "Entry", "Enabled", "Category", "Profile", "Description", "Company", "ImagePath", "Version", "LaunchString"] ; Add columns _GUICtrlListView_AddColumn($idListview, "idx", 30) _GUICtrlListView_AddColumn($idListview, "Time", 100) _GUICtrlListView_AddColumn($idListview, "EntryLocation", 450) _GUICtrlListView_AddColumn($idListview, "Entry", 150) _GUICtrlListView_AddColumn($idListview, "Enabled", 60) _GUICtrlListView_AddColumn($idListview, "Category", 60) _GUICtrlListView_AddColumn($idListview, "Profile", 60) _GUICtrlListView_AddColumn($idListview, "Description", 100) _GUICtrlListView_AddColumn($idListview, "Company", 100) _GUICtrlListView_AddColumn($idListview, "ImagePath", 300) _GUICtrlListView_AddColumn($idListview, "Version", 40) _GUICtrlListView_AddColumn($idListview, "LaunchString", 300) _GUICtrlListView_SetItemCount($idListview, $aItems[0][0]) ; remove $aItems header _ArrayDelete($aItems, 0) _GUICtrlListView_AddArray($idListview, $aItems) Do Until GUIGetMsg() = $GUI_EVENT_CLOSE GUIDelete() EndFunc ;==>DisplayGUI ;--------------------------------------------------------------------------------------- Please, every comment is appreciated! leave your comments and experiences here! Thank you very much

Any command that is placed in the key below ("pause" in the example) is executed normally in a manually opened console, but it does not execute in a console opened by a script in Autoit, through the command: Run ( @ComSpec & " /c ..." ). Does anyone have any idea how to solve it? I've already tried using the key "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\Autorun" as well and there is no key "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Command Processor\Autorun". Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor] "Autorun"="pause"