Startup Items

Overview

Evidence: Startup Items Description: Enumerate Startup Items Category: Persistence Platform: Windows Short Name: strtppr Is Parsed: Yes - LNK files parsed for target information Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Startup folders contain programs and shortcuts that run automatically when a user logs on. There are per-user and all-users startup folders that Windows processes during logon.

This is one of the most common persistence mechanisms and is easily accessible to users and malware. Startup folder contents can include executables, scripts, and LNK (shortcut) files.

Data Collected

Startup Folder Table

Startup Folder Arguments Table

Collection Method

This collector searches startup folders:

• Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

• ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

For each file found:

• If it's a LNK file, parses it to extract target path and arguments

• Calculates hash of the LNK file

• Extracts LNK timestamps

• Parses command line for executables and arguments

• If not a LNK file, treats the file itself as the startup item

Usage

Startup folder analysis is fundamental for detecting persistence mechanisms. Investigators use this data to identify malicious startup items, detect unauthorized persistence, track legitimate startup applications, identify suspicious LNK files, verify startup item legitimacy, correlate with malware execution, and detect persistence via shortcuts.

Known Limitations

• Only captures files present at collection time

• Deleted startup items not captured

• Group Policy startup scripts not included

• Registry-based startup items not captured here (see Registry Persistence)

Notes

LNK files in startup folders can point to files on removable drives or network shares. Even if the target doesn't exist, the LNK file preserves the path and can provide investigative leads.