ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • Scheduled Tasks
  • Registry
  • Startup Folder
  • Services
  • Registry Keys
  • Persistence Keys
  • Startup Folders
  • Sysinternals

Was this helpful?

  1. Windows
  2. System Ops
  3. Autorun / Startup

Modify

Scheduled Tasks

schtasks /create /sc <ScheduleType> /tn <TaskName> /tr <TaskRun>

Creates a scheduled task (CMD).

New-ScheduledTask -Action <Action> -Trigger <Trigger>

Creates a new scheduled task object (PowerShell).

Register-ScheduledTask -TaskName <TaskName> -InputObject <ScheduledTask>

Registers a scheduled task (PowerShell).

Registry

Adds an auto-start entry for the current user (CMD).

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v <ValueName> /d <ExecutablePath>

Adds an auto-start entry for all users (CMD).

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v <ValueName> /d <ExecutablePath>

Adds an auto-start entry for the current user (PowerShell).

Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name <ValueName> -Value <ExecutablePath>

Adds an auto-start entry for all users (PowerShell).

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run' -Name <ValueName> -Value <ExecutablePath>

Startup Folder

Copies a file to the current user's startup folder (CMD).

copy <FilePath> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\"

Copies a file to the current user's startup folder (PowerShell).

Copy-Item <FilePath> -Destination "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\"

Services

Creates a new service set to start automatically (CMD).

sc create <ServiceName> binPath= "<PathToExecutable>" start=auto

Creates a new service set to start automatically (PowerShell).

New-Service -Name <ServiceName> -BinaryPathName "<PathToExecutable>" -StartupType Automatic

Registry Keys

Registry Query:

reg query
get-itemproperty

Persistence Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Programs in this key run automatically when the current user logs in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Programs listed here run automatically for all users at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Commands or programs here run once at the next user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Commands or programs in this key run once at the next system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed here are executed at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed here are executed at user login.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Entries such as 'Userinit' and 'Shell' can be modified to run custom scripts or applications during the logon process.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

Specifies programs to load at user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load

Specifies programs to load at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

Specifies additional programs to run at user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run

Specifies additional programs to run at system startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Hooks that can be used to execute code when certain actions occur.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Services listed here are started by the Service Control Manager. Malware can create or modify existing services.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Customization of user shell folders can be used for persistence.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Customization of shell folders at a system-wide level.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

Components listed here are executed when a user logs in for the first time and when creating new user accounts.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

On 64-bit systems, this key is used to run 32-bit applications at system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes*\ShellEx\ContextMenuHandlers

Context menu handlers can be used to execute code when certain file types are right-clicked.

HKEY_CURRENT_USER\Software\Classes*\ShellEx\ContextMenuHandlers

Context menu handlers for specific file types under the current user profile.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKU<SID>\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\BCD00000000

HKLM\SAM\SAMs

Startup Folders

Individual User Startup:

C:\Users<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

All Users Statup:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Are these locations the same across all Windows Versions? Need to research.

Sysinternals

autorunsc -accepteula

Start

autorunsc -a

(all) # ALWAYS CHECK BOOT EXECUTE

autorunsc -s

Services

autorunsc -t

Tasks

autorunsc -b

Boot execute

autorunsc -d

App init DLLs

PreviousEnumerateNextSecurity

Last updated 1 year ago

Was this helpful?

🪟