none
Incorrect image path guessing

    General discussion

  • Consider the following auto run registry keys:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Delete Cached Update Binary"="C:\\WINDOWS\\system32\\cmd.exe /q /c del /q  ..."
    "Uninstall 19.070.0410.0005"="C:\\WINDOWS\\system32\\cmd.exe /q /c rmdir ..."

    Autoruns[c] shows them as

       Delete Cached Update Binary
         C:\WINDOWS\system32\cmd.exe /q /c del /q ...
         File not found: del

        Uninstall 19.070.0410.0005

         C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q ...
         c:\cygwin64\bin\rmdir.exe

    First it tries to be too clever and doesn't show image path as cmd, then it fails to recognise internal cmd commands and replaces image paths with total nonsense - file not found or the first matching file in PATH.

    Thursday, May 30, 2019 10:14 AM

All replies

  • Hi lvmm,

    Can you confirm which Autoruns version you're using? In Autoruns v13.80, the code base was updated to no longer parse nested Windows applications. However, it appears this functionality may have been re-added in v13.94.

    I was able to reproduce your observation in Autoruns v13.94:

    It appears v13.94 may be string matching on the path. However, it will correctly resolve cmd.exe if you add extra backslashes to the path:


    Autoruns v13.93 does not display this functionality:

    With that said, I once thought it would be a great idea for Autoruns to parse "nested" applications hiding behind legitimate Windows applications. However, I've since realized this just creates a never ending parsing problem, unmaintainable by Mark, Marc, and Luke. Hopefully they chime in and share whether this was a bug or feature.

    Friday, May 31, 2019 1:41 AM
  • Sorry for late reply, I am using 13.94, the latest available.

    Wednesday, June 5, 2019 7:20 AM