Blue Team

Small Cyber Bytes – 2 – Autorun Locations – Malware Persistence

What Are Autorun Locations

One common way for malware to persist on a system is to add an autorun entry that causes it to start automatically every time the host boots up. While this is not an exhaustive list of autorun locations, this is a good place to start as they are consistent locations for malware persistence. If you are looking towards being a Cyber Security Analyst then these are the basic areas you should definitely know to look at.

Startup Folder

The Startup folder is a location on the computer system where users can place shortcuts to programs they want to run automatically when the system starts up. Malware authors often take advantage of this location by dropping their own malicious code into the folder, allowing it to execute every time the system boots up.

The startup folder is a relatively easy target for malware because it can be modified easily by users with low-level permissions. This makes it an attractive target for malware authors who want to infect as many systems as possible.

  1. Windows XP:
    • All Users: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    • Current User: C:\Documents and Settings\{Username}\Start Menu\Programs\Startup\
  2. Windows Vista, 7, 8, and 10:
    • All Users: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
    • Current User: C:\Users\{Username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Note that in Windows 10, the “ProgramData” and “AppData” folders may be hidden by default, so you may need to show hidden files and folders in order to access them.


The Windows registry is a database that stores configuration information for the operating system and applications. Malware can modify the registry to create new entries that cause it to run automatically when the system starts up.

The registry is a more secure location than the Startup folder because it requires advanced permissions to modify. However, malware authors can still find ways to modify the registry, such as by exploiting vulnerabilities in software or by tricking users into giving them administrative privileges.

There are several registry keys where malware can add an autorun entry, including:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

These keys contain values that point to the executable files that Windows should run on startup. If you find an entry in one of these keys that you don’t recognize, it’s best to remove it to prevent malware from starting up automatically.

Example of a Trickbot run key (tsickbot_1.exe)

Scheduled Tasks

Scheduled tasks are automated processes that can be set to run at specific times or intervals. Malware authors can use scheduled tasks to set up a recurring process that executes their malicious code at regular intervals.

Scheduled tasks are more difficult to detect than other autorun locations because they are not easily visible to the user. Malware can create scheduled tasks that run in the background, making it harder to identify that the system is infected.

Example of a Bokbot scheduled task


A service is a program that runs in the background and performs specific functions. Malware can install itself as a service, allowing it to execute automatically every time the system starts up.

Services are also difficult to detect because they are not easily visible to the user.

Browser Extensions

Malware can also install itself as a browser extension, allowing it to execute every time the user opens their web browser. This type of malware is becoming increasingly common as more people rely on web-based applications and services.

Browser extensions can be particularly dangerous because they have access to sensitive information, such as browsing history and cookies. Malware can use this information to steal personal data or to carry out other malicious activities.


Malware is a persistent problem in the tech world, and one of the ways it can infect a system is by running automatically upon system startup. This is why malware authors often use autorun locations.

Malware that uses autorun locations can be a persistent threat to computer systems, and can allow malware to operate undetected for extended periods. By understanding the most common autorun locations that malware uses, you can minimize the risk of infection and keep a system running smoothly. Always remember to stay vigilant and keep systems up-to-date with the latest security patches and antivirus software to stay safe.

If you enjoyed this article you may also like PowerShell for Rapid Incident Response – Process Enumeration by Tom

Thank you for reading and keep on building those skills.


Digital forensics experience working within the criminal investigation environment. Working on furthering incident response and pen testing experience in the cyber security environment.
Back to top button