ioa747 Posted 22 hours ago Posted 22 hours ago (edited) Auto(it)Runs This script utilizes the sysinternals autorunsc command-line tool to scan and analyze autorun entries on a Windows system. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns The script's primary function is to extract information from the autorunsc.exe scan results, to Autoit, which can be used for various purposes and understanding system startup behavior. Using the $STDOUT stream and not the -c switch (Print output as CSV), so that you don't have to export the data to disk every time I explored it experimentally, and these are the results. expandcollapse popup; https://www.autoitscript.com/forum/topic/213070-autoitruns/ ;---------------------------------------------------------------------------------------- ; Title...........: Auto(it)Runs.au3 ; Description.....: This script utilizes the sysinternals `autorunsc` command-line tool ; to scan and analyze autorun entries on a Windows system. ; The script's primary function is to extract information from the autorun scan results, ; which can be used for various purposes and understanding system startup behavior. ; AutoIt Version..: 3.3.16.1 Author: ioa747 Script Version: 0.9 ; Note............: Testet in Win10 22H2 Date:10/08/2025 ;---------------------------------------------------------------------------------------- #AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7 #RequireAdmin #include <GUIConstantsEx.au3> #include <EditConstants.au3> #include <StaticConstants.au3> #include <WindowsConstants.au3> #include <AutoItConstants.au3> #include <StringConstants.au3> #include <ListViewConstants.au3> #include <GuiListView.au3> Example() ;--------------------------------------------------------------------------------------- Func Example() Local $sCMD = CreateCmdGUI() ConsoleWrite("$sCMD=" & $sCMD & @CRLF) Local $aEntries = AutorunSnapshot($sCMD) If @error Then ConsoleWrite("! @error:" & @error & " " & $aEntries & @CRLF) Local $iPos = StringInStr($sCMD, '-o "') ; check if -o Switch in $sCMD then execute the output file If $iPos > 1 Then ShellExecute(StringLeft(StringTrimLeft($sCMD, $iPos + 3), StringInStr(StringTrimLeft($sCMD, $iPos + 3), '"') - 1)) Else DisplayGUI($aEntries, "Autorun Entries") EndIf EndFunc ;==>Example ;--------------------------------------------------------------------------------------- Func CreateCmdGUI() ; Optional GUI to build the autorunsc cmdline ; Switches for the "-a" group (Group A) Local $aGroupA[18][3] = [ _ [0, "*", "All"], [0, "b", "Boot execute"], [0, "c", "Codecs"], _ [0, "d", "Appinit DLLs"], [0, "e", "Explorer addons"], [0, "g", "Sidebar gadgets"], _ [0, "h", "Image hijacks"], [0, "i", "Internet Explorer addons"], [0, "k", "Known DLLs"], _ [0, "l", "Logon startups (default)"], [0, "m", "WMI entries"], [0, "n", "Winsock protocol"], _ [0, "o", "Office addins"], [0, "p", "Printer monitor DLLs"], [0, "r", "LSA security providers"], _ [0, "s", "Services & non-disabled drivers"], [0, "t", "Scheduled tasks"], [0, "w", "Winlogon entries"] _ ] ; Switches for other parameters (Group B) Local $aGroupB[12][3] = [ _ [0, "-ct", "Print as tab-delimited"], [0, "-c", "Print as CSV"], [0, "-x", "Print output as XML"], _ [0, "-o", "Write output to the file."], [0, "-h", "Show file hashes."], [0, "-m", "Hide Microsoft entries"], _ [0, "-t", "Show timestamps in normalized UTC."], [0, "-s", "Verify digital signatures"], _ [0, "-u", "Show unsigned/unknown files"], [0, "-vrs", "VirusTotal check & upload"], _ [0, "-nobanner", "Do not show startup banner"], [0, "*", "Scan all user profiles"] _ ] ; Create the Autorunsc GUI GUICreate("Autorunsc GUI", 600, 560) GUISetFont(9, 400, 0, "Tahoma") ; Create the input box for the command GUICtrlCreateLabel("Generated Command:", 10, 10, 200, 20) Local $idInputbox = GUICtrlCreateInput("", 10, 30, 580, 25, $ES_AUTOHSCROLL) GUICtrlSetState($idInputbox, $GUI_DISABLE) ; Create the input box for the output file Local $idLblOutFile = GUICtrlCreateLabel("Output file:", 310, 420, 200, 20) GUICtrlSetState(-1, $GUI_HIDE) Local $idOutFile = GUICtrlCreateInput("output.txt", 310, 440, 260, 20) GUICtrlSetState(-1, $GUI_HIDE) Local $idExecuteButton = GUICtrlCreateButton("Execute", 420, 500, 140, 25) ; Create Group 1 for "-a" switches on the left GUICtrlCreateGroup("Autostart Entry Selection (-a)", 10, 70, 280, 480) Local $iX = 20, $iY = 90 For $i = 0 To UBound($aGroupA) - 1 $aGroupA[$i][0] = GUICtrlCreateCheckbox($aGroupA[$i][1] & " (" & $aGroupA[$i][2] & ")", $iX, $iY, 260, 20) $iY += 25 Next ; Set default selections in (Group A) GUICtrlSetState($aGroupA[1][0], $GUI_CHECKED) ; -a b GUICtrlSetState($aGroupA[9][0], $GUI_CHECKED) ; -a l GUICtrlCreateGroup("", -99, -99, 1, 1) ; Close the group ; Create Group 2 for other switches on the right GUICtrlCreateGroup("Other Options", 300, 70, 290, 330) $iX = 310 $iY = 90 For $i = 0 To UBound($aGroupB) - 1 $aGroupB[$i][0] = GUICtrlCreateCheckbox($aGroupB[$i][1] & " (" & $aGroupB[$i][2] & ")", $iX, $iY, 260, 20) $iY += 25 Next ; Set default selections in (Group B) GUICtrlSetState($aGroupB[11][0], $GUI_CHECKED) ; * user profiles GUICtrlCreateGroup("", -99, -99, 1, 1) ; Close the group GUISetState(@SW_SHOW) Local $nMsg, $bNeedUpdate = True While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_CLOSE ExitLoop Case $aGroupA[0][0] ; Handle the "All" checkbox logic If GUICtrlRead($aGroupA[0][0]) = $GUI_CHECKED Then For $i = 1 To UBound($aGroupA) - 1 GUICtrlSetState($aGroupA[$i][0], $GUI_DISABLE) GUICtrlSetState($aGroupA[$i][0], $GUI_UNCHECKED) Next Else For $i = 1 To UBound($aGroupA) - 1 GUICtrlSetState($aGroupA[$i][0], $GUI_ENABLE) Next EndIf $bNeedUpdate = True Case $aGroupA[1][0] To $aGroupA[17][0] ; Handle other "-a" checkboxes If GUICtrlRead($nMsg) = $GUI_CHECKED Then GUICtrlSetState($aGroupA[0][0], $GUI_DISABLE) Else Local $bAnyChecked = False For $i = 1 To UBound($aGroupA) - 1 If GUICtrlRead($aGroupA[$i][0]) = $GUI_CHECKED Then $bAnyChecked = True ExitLoop EndIf Next If Not $bAnyChecked Then GUICtrlSetState($aGroupA[0][0], $GUI_ENABLE) EndIf EndIf $bNeedUpdate = True Case $idOutFile $bNeedUpdate = True Case $idExecuteButton Return GUICtrlRead($idInputbox) Case $aGroupB[0][0] To $aGroupB[11][0] $bNeedUpdate = True EndSwitch If $bNeedUpdate Then Local $sCommand = "" Local $sAGroupSwitches = "" ; Build the string for "-a" switches For $i = 0 To UBound($aGroupA) - 1 If GUICtrlRead($aGroupA[$i][0]) = $GUI_CHECKED Then $sAGroupSwitches &= $aGroupA[$i][1] EndIf Next ; Add the "-a" switch only once if any option is selected If StringLen($sAGroupSwitches) > 0 Then $sCommand &= " -a " & $sAGroupSwitches ; Add switches from Group B For $i = 0 To UBound($aGroupB) - 1 If GUICtrlRead($aGroupB[$i][0]) = $GUI_CHECKED Then $sCommand &= " " & $aGroupB[$i][1] EndIf Next ; if Output file is checked If GUICtrlRead($aGroupB[3][0]) = $GUI_CHECKED Then GUICtrlSetState($idLblOutFile, $GUI_SHOW) GUICtrlSetState($idOutFile, $GUI_SHOW) Local $sOutFile = @ScriptDir & "\" & GUICtrlRead($idOutFile) $sCommand = StringReplace($sCommand, "-o", '-o "' & $sOutFile & '"') ; Set default selections in (Group B) GUICtrlSetState($aGroupB[0][0], $GUI_ENABLE) ; -ct GUICtrlSetState($aGroupB[1][0], $GUI_ENABLE) ; -c GUICtrlSetState($aGroupB[2][0], $GUI_ENABLE) ; -x GUICtrlSetState($aGroupB[4][0], $GUI_ENABLE) ; -h GUICtrlSetState($aGroupB[6][0], $GUI_ENABLE) ; -t GUICtrlSetState($aGroupB[7][0], $GUI_ENABLE) ; -s GUICtrlSetState($aGroupB[8][0], $GUI_ENABLE) ; -u GUICtrlSetState($aGroupB[9][0], $GUI_ENABLE) ; -vrs GUICtrlSetState($aGroupB[10][0], $GUI_ENABLE) ; -nobanner Else GUICtrlSetState($idLblOutFile, $GUI_HIDE) GUICtrlSetState($idOutFile, $GUI_HIDE) ; Set default selections in (Group B) GUICtrlSetState($aGroupB[0][0], $GUI_CHECKED) ; -ct GUICtrlSetState($aGroupB[0][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[1][0], $GUI_UNCHECKED) ; -c GUICtrlSetState($aGroupB[1][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[2][0], $GUI_UNCHECKED) ; -x GUICtrlSetState($aGroupB[2][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[4][0], $GUI_UNCHECKED) ; -h GUICtrlSetState($aGroupB[4][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[6][0], $GUI_CHECKED) ; -t GUICtrlSetState($aGroupB[6][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[7][0], $GUI_UNCHECKED) ; -s GUICtrlSetState($aGroupB[7][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[8][0], $GUI_UNCHECKED) ; -u GUICtrlSetState($aGroupB[8][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[9][0], $GUI_UNCHECKED) ; -vrs GUICtrlSetState($aGroupB[9][0], $GUI_DISABLE) GUICtrlSetState($aGroupB[10][0], $GUI_CHECKED) ; -nobanner GUICtrlSetState($aGroupB[10][0], $GUI_DISABLE) EndIf GUICtrlSetData($idInputbox, $sCommand) $bNeedUpdate = False EndIf WEnd Exit ;Return SetError(1, 0, "") EndFunc ;==>CreateCmdGUI ;--------------------------------------------------------------------------------------- Func AutorunSnapshot($sCmdSwitches = '-a bl -t -ct -nobanner *') ; Extract Entries to array ; https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns ; Make sure autorunsc.exe is located in a subfolder named "Autoruns" in @ScriptDir Local Const $sAutorunscPath = @ScriptDir & "\Autoruns\autorunsc64.exe" ; Verify that autorunsc.exe exists. If Not FileExists($sAutorunscPath) Then Return SetError(1, 0, "! Error: The autorunsc.exe file was not found") ; Usage: autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [-o <output file>] [[-z <systemroot> <userprofile>] | [user]]] ; -a Autostart entry selection: ; * All. ; b Boot execute. ; c Codecs. ; d Appinit DLLs. ; e Explorer addons. ; g Sidebar gadgets (Vista and higher) ; h Image hijacks. ; i Internet Explorer addons. ; k Known DLLs. ; l Logon startups (this is the default). ; m WMI entries. ; n Winsock protocol and network providers. ; o Office addins. ; p Printer monitor DLLs. ; r LSA security providers. ; s Autostart services and non-disabled drivers. ; t Scheduled tasks. ; w Winlogon entries. ; -c Print output as CSV. ; -ct Print output as tab-delimited values. ; -h Show file hashes. ; -m Hide Microsoft entries (signed entries if used with -s). ; -o Write output to the specified file. ; -s Verify digital signatures. ; -t Show timestamps in normalized UTC (YYYYMMDD-hhmmss). ; -u If VirusTotal check is enabled, show files that are unknown ; by VirusTotal or have non-zero detection, otherwise show only ; unsigned files. ; -x Print output as XML. ; -v[rs] Query VirusTotal (www.virustotal.com) for malware based on file hash. ; Add 'r' to open reports for files with non-zero detection. Files ; reported as not previously scanned will be uploaded to VirusTotal ; if the 's' option is specified. Note scan results may not be ; available for five or more minutes. ; -vt Before using VirusTotal features, you must accept ; VirusTotal terms of service. See: https://www.virustotal.com/en/about/terms-of-service/ ; If you haven't accepted the terms and you omit this ; option, you will be interactively prompted. ; -z Specifies the offline Windows system to scan. ; user Specifies the name of the user account for which ; autorun items will be shown. Specify '*' to scan ; all user profiles. ; -nobanner Do not display the startup banner and copyright message. ; Construct the command to run autorunsc.exe ; Local $sCommand = '"' & $sAutorunscPath & '" -a bl -m -t -ct -nobanner *' <<- Default -<< Local $sCommand = '"' & $sAutorunscPath & '" ' & $sCmdSwitches ; $sCmdSwitches = '-a bl -t -ct -nobanner *' ; Run autorunsc.exe Local $iPID = Run($sCommand, "", @SW_HIDE, $STDOUT_CHILD) ; Wait until the process has closed ProcessWaitClose($iPID) ; Read the Stdout stream of the PID Local $sOutput = StdoutRead($iPID) ; Possible ANSI to UTF16 conversion $sOutput = BinaryToString(StringToBinary($sOutput, $SB_ANSI), $SB_UTF16LE) ; <<- important -<< ;ConsoleWrite("$sOutput=" & $sOutput & @CRLF) ; Use StringSplit to split the output of StdoutRead to an array. All carriage returns (@CR) are stripped and @LF is used as the delimiter. Local $aDataArray = StringSplit(StringTrimRight(StringStripCR($sOutput), 1), @LF) If @error Then Return SetError(2, 0, "! Error: It appears there was an error trying to get the STDOUT.") ;_ArrayDisplay($aDataArray) Local $aPart, $aData[UBound($aDataArray)][12], $idx = 0 ; Skip 1st line with header For $i = 2 To UBound($aDataArray) - 1 $aPart = StringSplit($aDataArray[$i], @TAB) If $aPart[0] = 11 Then $idx += 1 $aData[$idx][0] = $idx $aData[$idx][1] = $aPart[1] $aData[$idx][2] = $aPart[2] $aData[$idx][3] = $aPart[3] $aData[$idx][4] = $aPart[4] $aData[$idx][5] = $aPart[5] $aData[$idx][6] = $aPart[6] $aData[$idx][7] = $aPart[7] $aData[$idx][8] = $aPart[8] $aData[$idx][9] = $aPart[9] $aData[$idx][10] = $aPart[10] $aData[$idx][11] = $aPart[11] EndIf Next ;_ArrayDisplay($aData) ReDim $aData[$idx + 1][12] $aData[0][0] = $idx $aData[0][1] = "Time" $aData[0][2] = "EntryLocation" $aData[0][3] = "Entry" $aData[0][4] = "Enabled" $aData[0][5] = "Category" $aData[0][6] = "Profile" $aData[0][7] = "Description" $aData[0][8] = "Company" $aData[0][9] = "ImagePath" $aData[0][10] = "Version" $aData[0][11] = "LaunchString" Return $aData EndFunc ;==>AutorunSnapshot ;--------------------------------------------------------------------------------------- Func DisplayGUI($aItems, $sTitle = "") ; Optional GUI to Display the extracted Entries ; Create GUI GUICreate($sTitle, 1600, 600) Local $idListview = GUICtrlCreateListView("", 2, 2, 1600, 600, -1, BitOR($LVS_EX_FULLROWSELECT, $LVS_EX_CHECKBOXES)) GUISetState(@SW_SHOW) ; ["idx", "Time", "EntryLocation", "Entry", "Enabled", "Category", "Profile", "Description", "Company", "ImagePath", "Version", "LaunchString"] ; Add columns _GUICtrlListView_AddColumn($idListview, "idx", 30) _GUICtrlListView_AddColumn($idListview, "Time", 100) _GUICtrlListView_AddColumn($idListview, "EntryLocation", 450) _GUICtrlListView_AddColumn($idListview, "Entry", 150) _GUICtrlListView_AddColumn($idListview, "Enabled", 60) _GUICtrlListView_AddColumn($idListview, "Category", 60) _GUICtrlListView_AddColumn($idListview, "Profile", 60) _GUICtrlListView_AddColumn($idListview, "Description", 100) _GUICtrlListView_AddColumn($idListview, "Company", 100) _GUICtrlListView_AddColumn($idListview, "ImagePath", 300) _GUICtrlListView_AddColumn($idListview, "Version", 40) _GUICtrlListView_AddColumn($idListview, "LaunchString", 300) _GUICtrlListView_SetItemCount($idListview, $aItems[0][0]) ; remove $aItems header _ArrayDelete($aItems, 0) _GUICtrlListView_AddArray($idListview, $aItems) Do Until GUIGetMsg() = $GUI_EVENT_CLOSE GUIDelete() EndFunc ;==>DisplayGUI ;--------------------------------------------------------------------------------------- Please, every comment is appreciated! leave your comments and experiences here! Thank you very much Edited 21 hours ago by ioa747 Version: 0.9 argumentum, Musashi and WildByDesign 3 I know that I know nothing
argumentum Posted 20 hours ago Posted 20 hours ago Spoiler Func Example() ;~ Local $sCMD = CreateCmdGUI() Local $sCMD = "-a blt -ct -t -nobanner *" ConsoleWrite("$sCMD=" & $sCMD & @CRLF) Local $aEntries = AutorunSnapshot($sCMD) If @error Then ConsoleWrite("! @error:" & @error & " " & $aEntries & @CRLF) Local $iPos = StringInStr($sCMD, '-o "') ; check if -o Switch in $sCMD then execute the output file If $iPos > 1 Then ShellExecute(StringLeft(StringTrimLeft($sCMD, $iPos + 3), StringInStr(StringTrimLeft($sCMD, $iPos + 3), '"') - 1)) Else Local $sArray = _ArrayToString($aEntries) Local $sTimestampLog = StringReplace(StringReplace(StringReplace(_NowCalc(), "/", "."), " ", "_"), ":", ".") ConsoleWrite($sArray & @CRLF) FileWrite(@ScriptDir & "\" & StringTrimRight(@ScriptName, 3) & $sTimestampLog & ".log", $sArray) ;~ DisplayGUI($aEntries, "Autorun Entriesz") EndIf EndFunc ;==>Example ... I'll be logging the outputs to compare them. Me, like it. Thanks ioa747 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Musashi Posted 16 hours ago Posted 16 hours ago It also looks nice to me. Thanks for the effort ioa747 1 "In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now