In previous diaries I talked about some of the most common startup locations in windows environment.
In this diary I will talk about some of the method to enumerate these values from registry
Sysinternals Autoruns is the best tool available to enumerate the startup locations; it can locate almost every startup location in Windows. If you are a big fan of command line or you need something scriptable, Autorunsc is the command line version of Autoruns . Autoruns can detect the startup locations for the current user and any other user using the same system.
In addition one of the most powerful features of Autoruns is the ability of analyzing offline systems ,this will be very useful if you have a binary image of a compromised system.
Here is how to use it with an offline system:
1-Mount the image
2-File->Analyze Offline System..
2-Provide System Root and User Profile Path
In forensics world we cannot depend on one tool only, in many cases we have to double check the result of one tool using different tool.
In addition to the windows built-in tools (RegEdit, reg command and PowerShell Get-ChildItem/Get-ItemProperty) there are some great tools to analysis registry such as AccessData FTK Registry Viewer, Harlan Carvy RegRipper and LZWorks Yet Another Registry Utility (yaru).
One big advantage of yaru is the ability to recover deleted registry keys which is very useful when someone is trying to hide his track.
Windows Management Instrument Command-line has its own way to retrieve the startup location.
Wmic startup list full
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.