none
Autoruns shows file extension twice + "File not found" RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Dear all,

    I'm facing this issue running Autoruns on Win7 Enterprise machines:

    Some entries are marked as "file not found" and shown up with doubled Extension.
    e.g. "c:\Windows\system32\hkcmd.exe.exe" in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Checking the registry I found the correct values: "c:\Windows\system32\hkcmd.exe"

    Tested this with Autoruns 13.82 and 13.91 (your page says 13.90 but "About" of .exe says 13.91).

    There are multiple entries shown this way. Most of them are parts of Drivers I think.
    Like Hotkey above or igfxtray.

    A subset is a set of McAfee agent executables

    Is this a fault of Autoruns? Or might the entries be defective in any way?

    Is there a way for me to sort out wether the entries are valid or not for real?

    Did not found this issue on a Win10 machine - but not sure since on the Win10 machine not the same software is installed.

    Thanks for your replies.

    Jens

    Tuesday, August 14, 2018 2:10 PM
    |

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jens

    It sounds like a bug. Could you provide me with details on how you reproduce this. Also can I confirm that this is 64 bit Windows 7?

    Regards

    MarkC (MSFT)

    Monday, August 27, 2018 4:31 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    MarkC,

    I'm ~90% sure I can recreate this bug. As soon as I close out other bugfixes with Mark R., I'll provide more data on how I was able to previously cause Autoruns to append an extra ".exe" to the file path.

    Kyle

    Tuesday, October 16, 2018 1:58 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Great. The "File not found" issue has been resolved and is currently in our development branch awaiting deployment. The extraneous exe error is still outstanding though.

    MarkC(MSFT)

    Wednesday, October 17, 2018 8:37 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hey MarkC,

    With my PoC for the post-boot native path handling bug (designed for Win10), you can reproduce the double ".exe" file extension issue by changing line 6 to:

    $TargetBinPath = Join-Path $TargetDir "shady.exe"

    Edit: Here's a new PoC

    Using the private release of Autoruns v13.92, you can see the appended ".exe" when the service's ImagePath value does not exist . It's worth mentioning this bug was not reproducible when the ImagePath binary existed.

    Autoruns v13.92 when the file doesn't exist.

    Autoruns v13.92 when the file does exist:

    The bug appears to still be present in Autoruns v13.93.


    Sunday, December 9, 2018 6:18 PM
    |