Show all profiles?

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

  Several recent malware releases appear to only install into the current user's profile. However, when I use autoruns under the Administrator account, it doesn't appear to show what loads under the other profiles on the system; is there some way to get it to do this? Thanks.

Edited by Ixne - 11 January 2012 at 2:24pm

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Ixne Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 06 June 2007 Location: USA Status: Offline Points: 6	Post Options Post Reply Quote Ixne Report Post Thanks(0) Quote Reply Topic: Show all profiles? Posted: 11 January 2012 at 2:24pm
	Several recent malware releases appear to only install into the current user's profile. However, when I use autoruns under the Administrator account, it doesn't appear to show what loads under the other profiles on the system; is there some way to get it to do this? Thanks. Edited by Ixne - 11 January 2012 at 2:24pm

Dax1792 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 15 March 2011 Status: Offline Points: 404	Post Options Post Reply Quote Dax1792 Report Post Thanks(0) Quote Reply Posted: 11 January 2012 at 2:37pm
	Click 'Run as Administrator' in the File menu. You then get a 'User' menu on the toolbar which allows you to select which user you want to look at.

burningteufel Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 January 2012 Status: Offline Points: 8	Post Options Post Reply Quote burningteufel Report Post Thanks(0) Quote Reply Posted: 11 January 2012 at 3:44pm
	^ What Dax1792 said. That feature it's very useful to spot and delete malware who loads only in a particular profile, for example rogue antivirus. You can also consider the possibility of using Autoruns with its "analyze offline system" capabilities from a PE live environment to spot and delete stubborn malware. Edited by burningteufel - 11 January 2012 at 3:45pm
	“Windows is what you open when you want fresh air from outside"

Ixne Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 06 June 2007 Location: USA Status: Offline Points: 6	Post Options Post Reply Quote Ixne Report Post Thanks(0) Quote Reply Posted: 13 January 2012 at 12:24pm
	Great, thanks!

davehull Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 19 January 2012 Status: Offline Points: 30	Post Options Post Reply Quote davehull Report Post Thanks(0) Quote Reply Posted: 20 January 2012 at 12:04am
	The command line version of Autoruns has an option to pull data for all profiles via the * for username. Dump the output to a csv file and load in Excel for review.

Ixne Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 06 June 2007 Location: USA Status: Offline Points: 6	Post Options Post Reply Quote Ixne Report Post Thanks(0) Quote Reply Posted: 14 February 2012 at 1:04pm
	Thanks... I've tried the command line using the command below, but it still only appears to show the active profile. What am I doing wrong? autorunsc.exe -m -v -accepteula -a * > "C:\temp\autoruns_output\autoruns_remote.csv"

davehull Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 19 January 2012 Status: Offline Points: 30	Post Options Post Reply Quote davehull Report Post Thanks(0) Quote Reply Posted: 14 February 2012 at 2:33pm
	You need single quotes on either side of the asterisk, try it with '*'

Ixne Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 06 June 2007 Location: USA Status: Offline Points: 6	Post Options Post Reply Quote Ixne Report Post Thanks(0) Quote Reply Posted: 16 February 2012 at 2:18pm
	Still no joy; here's where the rub seems to be: I'm trying to pass this command through PSEXEC so that it's executed remotely (executed as a domain admin, so I don't think credentials are the issue) thusly: cmd /x /c psexec.exe \\%E% -accepteula -c autorunsc.exe -m -v -accepteula -a '*' > "C:\temp\autoruns_output\autoruns_remote.csv"

davehull Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 19 January 2012 Status: Offline Points: 30	Post Options Post Reply Quote davehull Report Post Thanks(0) Quote Reply Posted: 16 February 2012 at 2:45pm
	Hm, you might try your psexec with a -s so it runs commands on the remote host as system. Also, I know from experience that /accepteula works with autorunsc, not sure about -accepteula.