none
Autoruns 13.90 fails to collect profile information RRS feed

  • Question

  • Hello,

    I m running Autorunsc.exe under psexec:

    psexec -c \\<the_machine> autorunsc.exe -a * -m -accepteula <the_user>

    Problem starts with v13.90. It would not collect the information from the HKCU

    The exit code is also all wrong:

    autorunsc.exe exited on <the_machine> with error code -1073741819.

    No errors reported in the output, but information about the user is missing.

    Tested it with 13.82 and it is works as expected

    If you could please look into it

    Thanks

    Momchil

    Tuesday, July 24, 2018 3:53 PM

Answers

All replies

  • I was able to reproduce/confirm the OPs findings. v13.82 will provide the expected values.

    Monday, August 6, 2018 4:35 PM
  • I just had a chance to look into the data a bit closer. It appears that the HKU/HKCU profiles are not simply being excluded, but autorunsc.exe is consistently crashing. Within my Windows 10 VMs, it is crashing shortly after parsing HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers (specifically within HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers on these boxes). Can you check your host for a Windows Error Report dump?

    • %ProgramData%\Microsoft\Windows\WER\ReportQueue
    • %ProgramData%\Microsoft\Windows\WER\ReportArchive
    • %LocalAppData%\Microsoft\Windows\WER\ReportQueue
    • %LocalAppData%\Microsoft\Windows\WER\ReportArchive

    Attached is an error report:

    Version=1
    EventType=APPCRASH
    EventTime=131781330503739775
    ReportType=2
    Consent=1
    UploadTime=131781330506074335
    ReportStatus=268435456
    ReportIdentifier=a50e2ce4-c5b4-4e4f-ae29-99f427c8878f
    IntegratorReportIdentifier=ec059cfb-b437-476d-a823-2da1985b3a66
    Wow64Host=34404
    Wow64Guest=332
    NsAppName=autorunsc_v13.90.exe
    OriginalFilename=autoruns.exe
    AppSessionGuid=0000330c-0001-0020-0aea-77fe6b2ed401
    TargetAppId=W:00061dc8aa63a436378dd97883e4d99233c900000904!0000def6d47255a7251c2372be0175dd1ea7d41f07fa!autorunsc_v13.90.exe
    TargetAppVer=2018//05//24:16:36:52!a1898!autorunsc_v13.90.exe
    BootId=4294967295
    ServiceSplit=30
    TargetAsId=655
    IsFatal=1
    Response.BucketId=2c5c33817c53f1dae437fac627a07a89
    Response.BucketTable=1
    Response.LegacyBucketId=1456908733452941961
    Response.type=4
    Sig[0].Name=Application Name
    Sig[0].Value=autorunsc_v13.90.exe
    Sig[1].Name=Application Version
    Sig[1].Value=13.90.0.0
    Sig[2].Name=Application Timestamp
    Sig[2].Value=5b06ea24
    Sig[3].Name=Fault Module Name
    Sig[3].Value=OLEAUT32.dll
    Sig[4].Name=Fault Module Version
    Sig[4].Value=10.0.17134.48
    Sig[5].Name=Fault Module Timestamp
    Sig[5].Value=7cc42fd8
    Sig[6].Name=Exception Code
    Sig[6].Value=c0000005
    Sig[7].Name=Exception Offset
    Sig[7].Value=0001d524
    DynamicSig[1].Name=OS Version
    DynamicSig[1].Value=10.0.17134.2.0.0.256.48
    DynamicSig[2].Name=Locale ID
    DynamicSig[2].Value=1033
    DynamicSig[22].Name=Additional Information 1
    DynamicSig[22].Value=2beb
    DynamicSig[23].Name=Additional Information 2
    DynamicSig[23].Value=2beba6fb4680d73a8c78ca7c24ccdb46
    DynamicSig[24].Name=Additional Information 3
    DynamicSig[24].Value=b1f0
    DynamicSig[25].Name=Additional Information 4
    DynamicSig[25].Value=b1f0b380dbcd74b72a4df4e63607c2ae
    UI[2]=C:\Users\User\Downloads\Software\autorunsc_v13.90.exe
    LoadedModule[0]=C:\Users\User\Downloads\Software\autorunsc_v13.90.exe
    LoadedModule[1]=C:\WINDOWS\SYSTEM32\ntdll.dll
    LoadedModule[2]=C:\WINDOWS\System32\KERNEL32.DLL
    LoadedModule[3]=C:\WINDOWS\System32\KERNELBASE.dll
    LoadedModule[4]=C:\WINDOWS\System32\CRYPT32.dll
    LoadedModule[5]=C:\WINDOWS\SYSTEM32\VERSION.dll
    LoadedModule[6]=C:\WINDOWS\System32\ucrtbase.dll
    LoadedModule[7]=C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.165_none_42efcd1c44e192b2\COMCTL32.dll
    LoadedModule[8]=C:\WINDOWS\System32\msvcrt.dll
    LoadedModule[9]=C:\WINDOWS\System32\combase.dll
    LoadedModule[10]=C:\WINDOWS\System32\MSASN1.dll
    LoadedModule[11]=C:\WINDOWS\System32\RPCRT4.dll
    LoadedModule[12]=C:\WINDOWS\System32\WINTRUST.dll
    LoadedModule[13]=C:\WINDOWS\System32\SspiCli.dll
    LoadedModule[14]=C:\WINDOWS\System32\CRYPTBASE.dll
    LoadedModule[15]=C:\WINDOWS\System32\advapi32.dll
    LoadedModule[16]=C:\WINDOWS\System32\bcryptPrimitives.dll
    LoadedModule[17]=C:\WINDOWS\System32\sechost.dll
    LoadedModule[18]=C:\WINDOWS\System32\USER32.dll
    LoadedModule[19]=C:\WINDOWS\System32\GDI32.dll
    LoadedModule[20]=C:\WINDOWS\System32\win32u.dll
    LoadedModule[21]=C:\WINDOWS\System32\gdi32full.dll
    LoadedModule[22]=C:\WINDOWS\System32\COMDLG32.dll
    LoadedModule[23]=C:\WINDOWS\System32\msvcp_win.dll
    LoadedModule[24]=C:\WINDOWS\System32\shcore.dll
    LoadedModule[25]=C:\WINDOWS\System32\SHLWAPI.dll
    LoadedModule[26]=C:\WINDOWS\System32\SHELL32.dll
    LoadedModule[27]=C:\WINDOWS\System32\cfgmgr32.dll
    LoadedModule[28]=C:\WINDOWS\System32\windows.storage.dll
    LoadedModule[29]=C:\WINDOWS\System32\kernel.appcore.dll
    LoadedModule[30]=C:\WINDOWS\System32\profapi.dll
    LoadedModule[31]=C:\WINDOWS\System32\powrprof.dll
    LoadedModule[32]=C:\WINDOWS\System32\FLTLIB.DLL
    LoadedModule[33]=C:\WINDOWS\System32\ole32.dll
    LoadedModule[34]=C:\WINDOWS\System32\OLEAUT32.dll
    LoadedModule[35]=C:\WINDOWS\SYSTEM32\WINHTTP.dll
    LoadedModule[36]=C:\WINDOWS\System32\IMM32.DLL
    LoadedModule[37]=C:\WINDOWS\system32\uxtheme.dll
    LoadedModule[38]=C:\WINDOWS\System32\clbcatq.dll
    LoadedModule[39]=C:\WINDOWS\system32\propsys.dll
    LoadedModule[40]=C:\WINDOWS\SYSTEM32\WindowsCodecs.dll
    LoadedModule[41]=C:\WINDOWS\SYSTEM32\MrmCoreR.dll
    LoadedModule[42]=C:\WINDOWS\SYSTEM32\iertutil.dll
    LoadedModule[43]=C:\WINDOWS\SYSTEM32\policymanager.dll
    LoadedModule[44]=C:\WINDOWS\SYSTEM32\msvcp110_win.dll
    LoadedModule[45]=C:\WINDOWS\SYSTEM32\CRYPTSP.dll
    LoadedModule[46]=C:\WINDOWS\system32\rsaenh.dll
    LoadedModule[47]=C:\WINDOWS\SYSTEM32\bcrypt.dll
    LoadedModule[48]=C:\WINDOWS\System32\imagehlp.dll
    LoadedModule[49]=C:\WINDOWS\SYSTEM32\gpapi.dll
    LoadedModule[50]=C:\WINDOWS\SYSTEM32\cryptnet.dll
    LoadedModule[51]=C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
    LoadedModule[52]=C:\WINDOWS\SYSTEM32\WINNSI.DLL
    LoadedModule[53]=C:\WINDOWS\System32\NSI.dll
    LoadedModule[54]=C:\WINDOWS\system32\wbem\wbemprox.dll
    LoadedModule[55]=C:\WINDOWS\System32\WS2_32.dll
    LoadedModule[56]=C:\WINDOWS\SYSTEM32\wbemcomn.dll
    LoadedModule[57]=C:\WINDOWS\system32\wbem\wbemsvc.dll
    LoadedModule[58]=C:\WINDOWS\system32\wbem\fastprox.dll
    LoadedModule[59]=C:\Windows\System32\thumbcache.dll
    State[0].Key=Transport.DoneStage1
    State[0].Value=1
    OsInfo[0].Key=vermaj
    OsInfo[0].Value=10
    OsInfo[1].Key=vermin
    OsInfo[1].Value=0
    OsInfo[2].Key=verbld
    OsInfo[2].Value=17134
    OsInfo[3].Key=ubr
    OsInfo[3].Value=165
    OsInfo[4].Key=versp
    OsInfo[4].Value=0
    OsInfo[5].Key=arch
    OsInfo[5].Value=9
    OsInfo[6].Key=lcid
    OsInfo[6].Value=1033
    OsInfo[7].Key=geoid
    OsInfo[7].Value=244
    OsInfo[8].Key=sku
    OsInfo[8].Value=48
    OsInfo[9].Key=domain
    OsInfo[9].Value=0
    OsInfo[10].Key=prodsuite
    OsInfo[10].Value=256
    OsInfo[11].Key=ntprodtype
    OsInfo[11].Value=1
    OsInfo[12].Key=platid
    OsInfo[12].Value=10
    OsInfo[13].Key=sr
    OsInfo[13].Value=0
    OsInfo[14].Key=tmsi
    OsInfo[14].Value=112497
    OsInfo[15].Key=osinsty
    OsInfo[15].Value=1
    OsInfo[16].Key=iever
    OsInfo[16].Value=11.165.17134.0-11.0.75
    OsInfo[17].Key=portos
    OsInfo[17].Value=0
    OsInfo[18].Key=ram
    OsInfo[18].Value=16233
    OsInfo[19].Key=svolsz
    OsInfo[19].Value=475
    OsInfo[20].Key=wimbt
    OsInfo[20].Value=0
    OsInfo[21].Key=blddt
    OsInfo[21].Value=180410
    OsInfo[22].Key=bldtm
    OsInfo[22].Value=1804
    OsInfo[23].Key=bldbrch
    OsInfo[23].Value=rs4_release
    OsInfo[24].Key=bldchk
    OsInfo[24].Value=0
    OsInfo[25].Key=wpvermaj
    OsInfo[25].Value=0
    OsInfo[26].Key=wpvermin
    OsInfo[26].Value=0
    OsInfo[27].Key=wpbuildmaj
    OsInfo[27].Value=0
    OsInfo[28].Key=wpbuildmin
    OsInfo[28].Value=0
    OsInfo[29].Key=osver
    OsInfo[29].Value=10.0.17134.165.amd64fre.rs4_release.180410-1804
    OsInfo[30].Key=buildflightid
    OsInfo[30].Value=F8EE1E09-5379-44DF-B86D-E49E70CBE43B.1
    OsInfo[31].Key=edition
    OsInfo[31].Value=Professional
    OsInfo[32].Key=ring
    OsInfo[33].Key=expid
    OsInfo[34].Key=containerid
    OsInfo[35].Key=containertype
    OsInfo[36].Key=edu
    OsInfo[36].Value=0
    FriendlyEventName=Stopped working
    ConsentKey=APPCRASH
    AppName=Autostart program viewer
    AppPath=C:\Users\User\Downloads\Software\autorunsc_v13.90.exe
    NsPartner=windows
    NsGroup=windows8
    ApplicationIdentity=0A29B98F1C872E6333BEAB7BD556C3A5
    MetadataHash=1624446730



    Tuesday, August 7, 2018 4:42 PM
  • On a Windows 7 x64 VM, Autoruns v13.90 also crashes shortly after HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers. This time, it stops reporting while writing HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.

    Version=1
    EventType=APPCRASH
    EventTime=131781339458598261
    ReportType=2
    Consent=1
    ReportIdentifier=54151975-9a61-11e8-aa2e-000c29ad2add
    IntegratorReportIdentifier=54151974-9a61-11e8-aa2e-000c29ad2add
    WOW64=1
    Response.type=4
    Sig[0].Name=Application Name
    Sig[0].Value=autorunsc_v13.90.exe
    Sig[1].Name=Application Version
    Sig[1].Value=13.90.0.0
    Sig[2].Name=Application Timestamp
    Sig[2].Value=5b06ea24
    Sig[3].Name=Fault Module Name
    Sig[3].Value=OLEAUT32.dll
    Sig[4].Name=Fault Module Version
    Sig[4].Value=6.1.7601.17514
    Sig[5].Name=Fault Module Timestamp
    Sig[5].Value=4ce7b972
    Sig[6].Name=Exception Code
    Sig[6].Value=c0000005
    Sig[7].Name=Exception Offset
    Sig[7].Value=00004660
    DynamicSig[1].Name=OS Version
    DynamicSig[1].Value=6.1.7601.2.1.0.256.4
    DynamicSig[2].Name=Locale ID
    DynamicSig[2].Value=1033
    DynamicSig[22].Name=Additional Information 1
    DynamicSig[22].Value=0a9e
    DynamicSig[23].Name=Additional Information 2
    DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
    DynamicSig[24].Name=Additional Information 3
    DynamicSig[24].Value=0a9e
    DynamicSig[25].Name=Additional Information 4
    DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
    UI[2]=C:\Users\User\Desktop\autorunsc_v13.90.exe
    UI[3]=Autostart program viewer has stopped working
    UI[4]=Windows can check online for a solution to the problem.
    UI[5]=Check online for a solution and close the program
    UI[6]=Check online for a solution later and close the program
    UI[7]=Close the program
    LoadedModule[0]=C:\Users\User\Desktop\autorunsc_v13.90.exe
    LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
    LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
    LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
    LoadedModule[4]=C:\Windows\system32\VERSION.dll
    LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll
    LoadedModule[6]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
    LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
    LoadedModule[8]=C:\Windows\syswow64\USER32.dll
    LoadedModule[9]=C:\Windows\syswow64\ADVAPI32.dll
    LoadedModule[10]=C:\Windows\SysWOW64\sechost.dll
    LoadedModule[11]=C:\Windows\syswow64\RPCRT4.dll
    LoadedModule[12]=C:\Windows\syswow64\SspiCli.dll
    LoadedModule[13]=C:\Windows\syswow64\CRYPTBASE.dll
    LoadedModule[14]=C:\Windows\syswow64\LPK.dll
    LoadedModule[15]=C:\Windows\syswow64\USP10.dll
    LoadedModule[16]=C:\Windows\syswow64\SHLWAPI.dll
    LoadedModule[17]=C:\Windows\syswow64\CRYPT32.dll
    LoadedModule[18]=C:\Windows\syswow64\MSASN1.dll
    LoadedModule[19]=C:\Windows\syswow64\WINTRUST.dll
    LoadedModule[20]=C:\Windows\syswow64\COMDLG32.dll
    LoadedModule[21]=C:\Windows\syswow64\SHELL32.dll
    LoadedModule[22]=C:\Windows\syswow64\ole32.dll
    LoadedModule[23]=C:\Windows\syswow64\OLEAUT32.dll
    LoadedModule[24]=C:\Windows\system32\WINHTTP.dll
    LoadedModule[25]=C:\Windows\system32\webio.dll
    LoadedModule[26]=C:\Windows\system32\IMM32.DLL
    LoadedModule[27]=C:\Windows\syswow64\MSCTF.dll
    LoadedModule[28]=C:\Windows\system32\uxtheme.dll
    LoadedModule[29]=C:\Windows\syswow64\SETUPAPI.dll
    LoadedModule[30]=C:\Windows\syswow64\CFGMGR32.dll
    LoadedModule[31]=C:\Windows\syswow64\DEVOBJ.dll
    LoadedModule[32]=C:\Windows\syswow64\CLBCatQ.DLL
    LoadedModule[33]=C:\Windows\system32\propsys.dll
    LoadedModule[34]=C:\Windows\system32\ntmarta.dll
    LoadedModule[35]=C:\Windows\syswow64\WLDAP32.dll
    LoadedModule[36]=C:\Windows\system32\profapi.dll
    LoadedModule[37]=C:\Windows\system32\WindowsCodecs.dll
    LoadedModule[38]=C:\Windows\system32\apphelp.dll
    LoadedModule[39]=C:\Windows\system32\wbem\wbemprox.dll
    LoadedModule[40]=C:\Windows\system32\wbemcomn.dll
    LoadedModule[41]=C:\Windows\syswow64\WS2_32.dll
    LoadedModule[42]=C:\Windows\syswow64\NSI.dll
    LoadedModule[43]=C:\Windows\system32\CRYPTSP.dll
    LoadedModule[44]=C:\Windows\system32\rsaenh.dll
    LoadedModule[45]=C:\Windows\system32\RpcRtRemote.dll
    LoadedModule[46]=C:\Windows\system32\wbem\wbemsvc.dll
    LoadedModule[47]=C:\Windows\system32\wbem\fastprox.dll
    LoadedModule[48]=C:\Windows\system32\NTDSAPI.dll
    LoadedModule[49]=C:\Windows\syswow64\imagehlp.dll
    LoadedModule[50]=C:\Windows\system32\bcrypt.dll
    LoadedModule[51]=C:\Windows\SysWOW64\bcryptprimitives.dll
    LoadedModule[52]=C:\Windows\system32\ncrypt.dll
    LoadedModule[53]=C:\Windows\system32\USERENV.dll
    LoadedModule[54]=C:\Windows\system32\GPAPI.dll
    LoadedModule[55]=C:\Windows\system32\cryptnet.dll
    LoadedModule[56]=C:\Windows\system32\SensApi.dll
    LoadedModule[57]=C:\Windows\system32\Cabinet.dll
    LoadedModule[58]=C:\Windows\system32\DEVRTL.dll
    FriendlyEventName=Stopped working
    ConsentKey=APPCRASH
    AppName=Autostart program viewer
    AppPath=C:\Users\User\Desktop\autorunsc_v13.90.exe
    



    Tuesday, August 7, 2018 4:56 PM
  • Based on another user's observation and my testing, it appears something within the login ASEP has issues.

    As a short term workaround, you can downgrade to v13.82 or exclude login startups by including all autostart entries except "l":

    • autorunsc.exe -a bcdeghikmnoprstw
    Tuesday, August 7, 2018 10:23 PM
  • Mark & Luke just pushed Autoruns v13.91 to https://live.sysinternals.com which resolves this issue :)
    Wednesday, August 8, 2018 2:33 AM