I've encountered a problem with autorunsc64.exe (the command line version of the tool, version 13.96) when scanning mounted images of offline systems.
For example running:
autorunsc64.exe -a * -c -h -s -m -z X:\Windows X:\Users\Test
will work fine the first time. But on a second run autorunsc64.exe fails with an error:
Cannot load registry hive 'system' of the selected system root
The only workaround I know of is to reboot Windows after each scan. Are there any other ways to avoid this problem?
The problem is also described here in a SANS article titled "Offline Autoruns Revisited - Auditing Malware Persistence":
"A frustrating limitation I found with using Autoruns in offline mode was the need to reboot after every execution. This could be a problem introduced by my testing environment, but it remained across different test systems, mounting tools, and forensic
images. Once Autoruns is executed against one system root and user profile, it will not parse a different image or even a different profile in the same image. A reboot is the only mitigation I found to get Autoruns to successfully switch context."
