AUTORUN AND AUTOLOAD INFORMATION

Startup information:

C:\\> wmic startup list full
C:\\> wmic ntdomain list brief

View directory contents of startup folder:

C:\\> dir "%SystemDrive%\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
C:\\> dir "%SystemDrive%\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup"
C:\\> dir %userprofile%\\Start Menu\\Programs\\Startup
C:\\> %ProgramFiles%\\Startup\\
C:\\> dir C:\\Windows\\Start Menu\\Programs\\startup
C:\\> dir
"C:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
C:\\> dir "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
C:\\> dir "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Prog rams\\Startup"
C:\\> dir "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
C:\\> dir "%ALLUSERSPROFILE%\\Start Menu\\Programs\\Startup"
C:\\> type C:\\Windows\\winstart.bat
C:\\> type %windir%\\wininit.ini
C:\\> type %windir%\\win.ini

View autoruns, hide Microsoft files:

Ref. https://technet.microsoft.com/enus/sysinternals/bb963902.aspx

C:\\> autorunsc -accepteula -m
C:\\> type C:\\Autoexec.bat"

Show all autorun files, export to csv and check with VirusTotal:

C:\\> autorunsc.exe -accepteula -a -c -i -e -f -l -m -v

HKEY_CLASSES_ROOT:

C:\\> reg query HKCR\\Comfile\\Shell\\Open\\Command
C:\\> reg query HKCR\\Batfile\\Shell\\Open\\Command
C:\\> reg query HKCR\\htafile\\Shell\\Open\\Command
C:\\> reg query HKCR\\Exefile\\Shell\\Open\\Command
C:\\> reg query HKCR\\Exefiles\\Shell\\Open\\Command
C:\\> reg query HKCR\\piffile\\shell\\open\\command

HKEY_CURRENT_USERS:

C:\\> reg query "HKCU\\Control Panel\\Desktop"
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Windows\\Run
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Windows\\Load
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Windows\\Scripts
C:\\> reg query "HKCU\\Software\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" /f run
C:\\> reg query "HKCU\\Software\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" /f load
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComD1g32\\0pen5aveMRU
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComD1g32\\0pen5avePidlMRU /s
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
C:\\> reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
C:\\> reg query "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
C:\\> reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\RegEdit /v LastKey
C:\\> reg query "HKCU\\Software\\Microsoft\\InternetExplorer\\TypedURLs"
C:\\> reg query "HKCU\\Software\\Policies\\Microsoft\\Windows\\ControlPanel\\Desktop"

HKEY_LOCAL_MACHINE:

C:\\> reg query "HKLM\\SOFTWARE\\Mic rosoft\\ActiveSetup\\Installed Components" /s
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders"
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\explorer\\Shell Folders"
C:\\> reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\ShellExecuteHooks
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" /s
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Winlogon\\Userinit
C:\\> reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\shellServiceObjectDelayLoad
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks" /s
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows"
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" /f Appinit_DLLs
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon" /f Shell
C:\\> reg query "HKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon" /f Userinit
C:\\> reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Systern\\Scripts
C:\\> reg query HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\cornrnand
C:\\> reg query HKLM\\SOFTWARE\\Classes\\cornfile\\shell\\open\\cornrnand
C:\\> reg query HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command
C:\\> reg query HKLM\\SOFTWARE\\Classes\\htafile\\Shell\\Open\\Command
C:\\> reg query HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command
C:\\> reg query "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Current\\Version\\Explorer\\Browser Helper Objects" /s
C:\\> reg query "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SessionManager"
C:\\> reg query"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SessionManager\\KnownDLLs"
C:\\> reg query"HKLM\\SYSTEM\\ControlSet001\\Control\\SessionManager\\KnownDLLs"