Autoruns shows file extension twice + "File not found" RRS feed

  • Question

  • Dear all,

    I'm facing this issue running Autoruns on Win7 Enterprise machines:

    Some entries are marked as "file not found" and shown up with doubled Extension.
    e.g. "c:\Windows\system32\hkcmd.exe.exe" in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Checking the registry I found the correct values: "c:\Windows\system32\hkcmd.exe"

    Tested this with Autoruns 13.82 and 13.91 (your page says 13.90 but "About" of .exe says 13.91).

    There are multiple entries shown this way. Most of them are parts of Drivers I think.
    Like Hotkey above or igfxtray.

    A subset is a set of McAfee agent executables

    Is this a fault of Autoruns? Or might the entries be defective in any way?

    Is there a way for me to sort out wether the entries are valid or not for real?

    Did not found this issue on a Win10 machine - but not sure since on the Win10 machine not the same software is installed.

    Thanks for your replies.


    Tuesday, August 14, 2018 2:10 PM

All replies

  • Hi Jens

    It sounds like a bug. Could you provide me with details on how you reproduce this. Also can I confirm that this is 64 bit Windows 7?


    MarkC (MSFT)

    Monday, August 27, 2018 4:31 AM
  • MarkC,

    I'm ~90% sure I can recreate this bug. As soon as I close out other bugfixes with Mark R., I'll provide more data on how I was able to previously cause Autoruns to append an extra ".exe" to the file path.


    Tuesday, October 16, 2018 1:58 PM
  • Great. The "File not found" issue has been resolved and is currently in our development branch awaiting deployment. The extraneous exe error is still outstanding though.


    Wednesday, October 17, 2018 8:37 PM
  • Hey MarkC,

    With my PoC for the post-boot native path handling bug (designed for Win10), you can reproduce the double ".exe" file extension issue by changing line 6 to:

    $TargetBinPath = Join-Path $TargetDir "shady.exe"

    Edit: Here's a new PoC

    Using the private release of Autoruns v13.92, you can see the appended ".exe" when the service's ImagePath value does not exist . It's worth mentioning this bug was not reproducible when the ImagePath binary existed.

    Autoruns v13.92 when the file doesn't exist.

    Autoruns v13.92 when the file does exist:

    The bug appears to still be present in Autoruns v13.93.

    Sunday, December 9, 2018 6:18 PM
  • I just ran Autoruns for the first time on my machine, today, on my win10 pro install (Autoruns v13.96). This bug still persists, but for my machine it seems to be contained to a single hive path:

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run    4/21/2020 11:30 AM

    [unable to post image]

    I'm wondering if this bug could be a logical error from something like converting between 64-bit vs 32-bit lengths on char arrays prior to reconstructing the 'Image Path' string … like a full-sized buffer didn't reassign every element of the buffer to '\0' ... missing half of it during iteration… ?

    Wednesday, April 22, 2020 7:44 PM
  • Hi Phil

    could you email the image to me at syssite@microsoft.com and I will take a look


    Monday, April 27, 2020 12:35 PM