Autoruns

The startup list we saw earlier in this chapter, covers registry entries, schedule jobs, and file location. The bottom line is that this tool covers all of those, including other areas we have not discussed, such as Microsoft Office add-ons, codecs, and printer monitors, as can be seen in the following screenshot:

There are 32- and 64-bit versions of the autoruns tool. The screenshot above shows all possible triggers for an executable which was based on the research of the SysInternals' authors Mark Russinovich and Bryce Cogswell. The screenshot also categorizes each autorun entry, shows the description of each entry, and indicates the file path related to the entry.

As for reverse engineers, the identification of suspected files can be determined by having knowledge of what files are common to the startup prior to the system getting compromised. Continuous practice and experience will make the reverse engineer easily identify which are good or suspected executable files.