question

TAYM-7307 avatar image
1 Vote"
TAYM-7307 asked Winkelmann-5273 commented

Autoruns closes automatically & potentially fake Chinese verified Publishers

I just started training in a Security+ class and was introduced to Autoruns. I have had some strange behavior on my PC for some time (random wakeups, monitors changing their number assignment, etc) but were usually explained by regular Windows error type things. But in looking through my Autoruns, I noticed some increased strangeness.

First of all, Autoruns will not stay running for long enough to make any changes. I got it to stay open for about 15 seconds by restarting my computer (long enough to get the screenshot below) but no matter what I do, it will close immediately (even as admin).
Additionally, I noticed that some of the (Verified) publishers had Chinese or other special characters in them.

So I'm just curious if anyone can vouch for these Autorun entries? And if so, is anyone aware of a known issue with Autoruns auto-closing?

90854-captureautorun.png


windows-sysinternals-autoruns
captureautorun.png (177.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

foxmsft avatar image
0 Votes"
foxmsft answered Winkelmann-5273 commented

Hi, I believe that these publishers are being displayed as an effect of a bug that was fixed in Friday's Autoruns release (v13.100). Can you please check with that version as well?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The bug with the broken Publisher display is still present in the current version (13.100), I made sure to download the sysinternals.zip again just now.

This pretty much breaks Autoruns because, since it doesn't detect the publisher properly, it can't filter out MS/Windows entries and doesn't properly compare autoruns files.

1 Vote 1 ·