Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Autoruns
  New Posts New Posts RSS Feed - Show all profiles?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Show all profiles?

 Post Reply Post Reply
Author
Message
Ixne View Drop Down
Newbie
Newbie


Joined: 06 June 2007
Location: USA
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Ixne Quote  Post ReplyReply Direct Link To This Post Topic: Show all profiles?
    Posted: 11 January 2012 at 2:24pm

  Several recent malware releases appear to only install into the current user's profile. However, when I use autoruns under the Administrator account, it doesn't appear to show what loads under the other profiles on the system; is there some way to get it to do this? Thanks.  




Edited by Ixne - 11 January 2012 at 2:24pm
Back to Top
Dax1792 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 March 2011
Status: Offline
Points: 587
Post Options Post Options   Thanks (0) Thanks(0)   Quote Dax1792 Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2012 at 2:37pm
Click 'Run as Administrator' in the File menu. You then get a 'User' menu on the toolbar which allows you to select which user you want to look at. 
Back to Top
burningteufel View Drop Down
Newbie
Newbie
Avatar

Joined: 01 January 2012
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote burningteufel Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2012 at 3:44pm
What Dax1792 said.

That feature it's very useful to spot and delete malware who loads only in a particular profile, for example rogue antivirus.

You can also consider the possibility of using Autoruns with its "analyze offline system" capabilities from a PE live environment to spot and delete stubborn malware.



Edited by burningteufel - 11 January 2012 at 3:45pm
“Windows is what you open when you want fresh air from outside"
Back to Top
Ixne View Drop Down
Newbie
Newbie


Joined: 06 June 2007
Location: USA
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Ixne Quote  Post ReplyReply Direct Link To This Post Posted: 13 January 2012 at 12:24pm
  Great, thanks!
Back to Top
davehull View Drop Down
Groupie
Groupie
Avatar

Joined: 19 January 2012
Status: Offline
Points: 48
Post Options Post Options   Thanks (0) Thanks(0)   Quote davehull Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2012 at 12:04am
The command line version of Autoruns has an option to pull data for all profiles via the * for username. Dump the output to a csv file and load in Excel for review.
Back to Top
Ixne View Drop Down
Newbie
Newbie


Joined: 06 June 2007
Location: USA
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Ixne Quote  Post ReplyReply Direct Link To This Post Posted: 14 February 2012 at 1:04pm

Thanks... I've tried the command line using the command below, but it still only appears to show the active profile. What am I doing wrong?


autorunsc.exe -m -v -accepteula -a * > "C:\temp\autoruns_output\autoruns_remote.csv"



Back to Top
davehull View Drop Down
Groupie
Groupie
Avatar

Joined: 19 January 2012
Status: Offline
Points: 48
Post Options Post Options   Thanks (0) Thanks(0)   Quote davehull Quote  Post ReplyReply Direct Link To This Post Posted: 14 February 2012 at 2:33pm
You need single quotes on either side of the asterisk, try it with '*'
Back to Top
Ixne View Drop Down
Newbie
Newbie


Joined: 06 June 2007
Location: USA
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Ixne Quote  Post ReplyReply Direct Link To This Post Posted: 16 February 2012 at 2:18pm

Still no joy; here's where the rub seems to be: I'm trying to pass this command through PSEXEC so that it's executed remotely (executed as a domain admin, so I don't think credentials are the issue) thusly:


cmd /x /c psexec.exe \\%E% -accepteula -c autorunsc.exe -m -v -accepteula -a '*' > "C:\temp\autoruns_output\autoruns_remote.csv"

Back to Top
davehull View Drop Down
Groupie
Groupie
Avatar

Joined: 19 January 2012
Status: Offline
Points: 48
Post Options Post Options   Thanks (0) Thanks(0)   Quote davehull Quote  Post ReplyReply Direct Link To This Post Posted: 16 February 2012 at 2:45pm
Hm, you might try your psexec with a -s so it runs commands on the remote host as system. Also, I know from experience that /accepteula works with autorunsc, not sure about -accepteula.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down