Auto Start Locations, Can ASEP Be Elsewhere RRS feed

  • Question

  • In the SysInternals book there is a  list of ASEP locations. its thorough. I've been looking into malware & the registry. Question is, can software put an ASEPs anyhwere in the registry? Or must it be put it in the locations sited in the book? Are these locations the only areas where Windows will auto-start an application or can malware put an ASEP somewhere else and still have Windows auto-start it?

    • Edited by Jjclay Sunday, August 19, 2018 3:36 PM typo
    Friday, August 10, 2018 5:40 PM

All replies

  • Hi Jjclay, thanks for the great questions! I'll start with some foundational background and then answer/elaborate on your questions.


    Your Windows OS consists of many applications and groups of applications (called subsystems). These applications and subsystems work together to provide end users a great experience and customizability while providing developers commonly needed functionality, extensibility, and deeper customization. These applications and subsystems may be initially started when the OS boots, users log in, or on-demand (after an icon is clicked, after a command is executed within cmd.exe, after a feature is needed by an already executing application, etc.)

    Many of Windows subsystems and applications will be automatically run at bootup and may even load additional applications capable of loading their own applications (for example, Microsoft Office's Word application may be automatically opened which then automatically loads/executes Adobe Acrobat's PDF formatting plugin/addin).

    Each of these subsystems and applications generally have unique locations which allow developers, administrators, and end users to specify what additional applications, plugins, providers, etc. should run. These standardized/unique locations are traditionally referred to as Autostarting Entry Point (ASEP) locations.


    Can software put an ASEP anywhere in the registry?

    • Simply put: No. Most locations in the registry will not be automatically executed by Windows.
    • More complex caveat: The registry acts as a giant configuration file for many Windows internals settings but is also commonly used by 3rd party applications. Theoretically, a 3rd party application could be written to reference any location within the registry and then automatically execute the plugin specified (akin to the Word "Addin" example above).

    Must an ASEP be a location sited in the book? Are these locations the only areas where Windows will auto-start an application or can malware put an ASEP somewhere else and still have Windows auto-start it

    • Simply put: No. There's many ASEP locations not listed within the Sysinternals book and some not yet supported by Autoruns.
    • More complex answer: Hackers and the cybersecurity researchers put significant effort into discovering new ways to automatically launch malicious applications. As a result, keeping Autoruns up to date is a constant cat-and-mouse game. Here's a tweet highlighting Autoruns not enumerating Certificate Store Providers.

    Additional Resources

    If you're a big fan of how malware is currently abusing ASEPs (also called footholds or persistence mechanisms), check out our Twitter feed which includes several hundred examples:

    We've also published research on the topic:

    Hope this helps!

    Sunday, August 19, 2018 5:25 PM