p0w3rsh3ll
p0w3rsh3ll
Steps to reproduce ------------------ ```powershell Get-PSAutorun -ServicesAndDrivers | ? { -not($_.Version) } Path : HKLM:\System\CurrentControlSet\Services\PRM Item : ImagePath Category : Drivers Value : System32\DriverStore\FileRepository\prm.inf_amd64_7fc9bb8ba2b73803\PRM.sys ImagePath : System32\DriverStore\FileRepository\prm.inf_amd64_7fc9bb8ba2b73803\PRM.sys Size : ```...
Steps to reproduce ------------------ ```powershell Get-PSAutorun -ScheduledTask Path : C:\Windows\system32\Tasks\\TaskName Item : TaskName Category : Task Value : "C:\Windows\Folder1\Folder2\scriptfile.cmd" ImagePath : "C:\Windows\Folder1\Folder2\scriptfile.cmd" ``` Expected behavior ----------------- Get the imagePath w/o...
Steps to reproduce ------------------ ```powershell Get-PSAutorun -ScheduledTasks Path : C:\Windows\system32\Tasks\\OneDrive Reporting Task-SID Item : OneDrive Reporting Task-SID Category : Task Value : %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting ImagePath : C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe \reporting ``` Expected...
Steps to reproduce ------------------ ```powershell Get-PSAutorun -BootExecute Path : HKLM:\System\CurrentControlSet\Control\Session Manager Item : SetupExecute Category : Boot Execute Value : C:\Windows\System32\poqexec.exe /display_progress \SystemRoot\WinSxS\pending.xml ImagePath : C:\Windows\System32\poqexec.exe /display_progress \SystemRoot\WinSxS\pending.xml Size :...
Steps to reproduce ------------------ ```powershell Get-PSAutorun -Winlogon | ? { -not($_.Value) } Path : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers Item : {C885AA15-1764-4293-B82A-0586ADD46B35} Category : Winlogon Value : ImagePath : Size : LastWriteTime :...
Steps to reproduce ------------------ ```powershell Get-PSAutorun -ScheduledTasks | ? Item -match 'OneDrive' ``` Expected behavior ----------------- The TaskName (or path) contains the SID of the account concerned. The Imagepath should...
It seems that the original Autoruns 14.00 checks now HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\SOFTWARE\Microsoft\Windows\CurrentVersion\Run instead of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run while it continues to look for: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx and...
It seems that the original AutoRuns 14.00 checks now: HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartDisconnect instead of HKLM\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect But it still checks HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect
Steps to reproduce ------------------ Run twice the following in 2 different consoles and after changing the time zone. ```powershell Get-PSAutorun -VerifyDigitalSignature | Where { -not($_.isOSbinary)} | New-AutoRunsBaseLine -Verbose # and...
The original version from Microsoft queries additional keys ending with 'AutorunsDisabled'. A procmon trace reveals this behavior. The GUI version allows to uncheck an Autorun. If it's unchecked, a key...