Doug Burks edited this page Mar 30, 2018 · 11 revisions



This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.



Currently, our Autoruns dashboard in Kibana works only with Autoruns logs shipped via OSSEC. If you are trying to ship Autoruns logs via Winlogbeat, you can create a custom dashboard and visualizations that reference the logstash-beats-* indices, or view Autoruns logs via the Beats dashboard.


Josh Brower developed a great project called Pertinax to normalize autoruns data and integrate it into Security Onion:

Josh's syslog-ng patterns were merged into Security Onion here:

Execute autoruns and ar-normalize.ps1 as shown here:


Another method for integrating Autoruns into your logging infrastructure is AutorunsToWinEventLog:


Download Autoruns here:

Download ar-normalize.ps1 here:

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.