Blog >> Windows Startup Programs

Investigating Windows Startup Programs

15/09/2022 Thursday

Startup programs refer to programs that run automatically when the user logs into the system. This means that these apps will lunch following a system reboot without any interaction from the user. Unless configured to do so, applications run will show no notifications or any type of indications that a program is running. This makes it an ideal medium for malware persistence.

Digital Forensics Value of Windows Startup Programs Artifacts

After a successful exploitation of a system, cybercriminals usually try to maintain persistence on the target system. Windows startup programs are one of the locations that threat actors use to place their malware and evade detection. Therefore, this artifact can provide valuable information especially, while investigating hacking incidents.

Location of Windows Startup Programs Artifacts

Startup Programs are stored in several locations. The following registry keys are among these locations:

Analyzing Windows Startup Programs Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract Windows Startup Programs artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Startup Programs artifacts:

Once ArtiFast parser plugins complete processing the artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Startup Programs artifacts in ArtiFast.

Startup Programs: This artifact contains application configured to run at system startup.

Startup Programs Information: This artifact contains information about the auto-run programs.

Startup Programs User Specified: This artifact contains information about programs specified by the user.

For more information or suggestions please contact: