09.02.2014 Views

Windows sysinternals

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

152 Part II Usage Guide<br />

Viewing ASEPs of an Offline System<br />

Autoruns allows you to view the ASEPs of an offline instance of <strong>Windows</strong> from a different,<br />

known-good instance of <strong>Windows</strong>. This can be helpful in several scenarios:<br />

■ If <strong>Windows</strong> will not start, offline analysis can identify and remove faulty or<br />

misconfigured ASEPs.<br />

■ Malware, and rootkits in particular, can prevent Autoruns from accurately identifying<br />

ASEPs. For example, a rootkit that intercepts and modifies registry reads can hide the<br />

content of selected keys from Autoruns. By taking the system offline and viewing its<br />

ASEPs from an instance of <strong>Windows</strong> in which that malware is not running, those entries<br />

will not be hidden.<br />

■ Malicious files on your system might appear to be signed by a trusted publisher, when<br />

in fact the root certificate might also have come from the attacker. A known-good<br />

system in which the bogus certificate is not installed will fail the signature verification<br />

for those files.<br />

To perform offline analysis, Autoruns must run with administrative rights and must have<br />

access to the offline instance’s file system. Choose Analyze Offline System from the File<br />

menu, and then identify the target’s <strong>Windows</strong> (System Root) directory and a user’s profile<br />

directory, as shown in Figure 5-4. Autoruns then scans that instance’s directories and registry<br />

hives for its ASEPs. Note that the registry hives cannot be on read-only media.<br />

FIGURE 5-4 Picking system and user profile directories of an offline system.<br />

Listing Unused ASEPs<br />

By default, Autoruns displays a shaded row only for ASEPs that have entries configured<br />

within them. If Include Empty Locations is enabled on the Options menu, Autoruns displays<br />

a shaded row for every ASEP that it scans, whether it has entries or not. Autoruns scans a<br />

tremendous number of ASEPs, so this increases the amount of output dramatically. Enabling<br />

this option can be useful to verify whether particular ASEPs are scanned, or to satisfy<br />

curiosity.<br />

www.it-ebooks.info

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!