Startup Items
Overview
Evidence: Startup Items Description: Enumerate Startup Items Category: System Platform: windows Short Name: strtppr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes
Background
Windows Startup folders contain programs and shortcuts that run automatically when a user logs on. There are per-user and all-users startup folders that Windows processes during logon.
This is one of the most common persistence mechanisms and is easily accessible to users and malware. Startup folder contents can include executables, scripts, and LNK (shortcut) files.
Data Collected
This collector gathers structured data about startup items.
Startup Items Data
Entry
Path to startup item
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware.lnk
LNKHash
Hash of LNK file
SHA256:a1b2c3...
LNKFileModified
LNK file modified time
2023-10-15T14:30:00
LNKFileAccessed
LNK file accessed time
2023-10-15T15:45:00
LNKFileCreated
LNK file creation time
2023-10-15T14:00:00
CommandLine
Target command line
C:\Temp\malware.exe --hidden
AutorunsStartupFolderRowID
Foreign key to startup entry
1
Collection Method
This collector searches startup folders:
Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
For each file found:
If it's a LNK file, parses it to extract target path and arguments
Calculates hash of the LNK file
Extracts LNK timestamps
Parses command line for executables and arguments
If not a LNK file, treats the file itself as the startup item
Forensic Value
Startup folder analysis is fundamental for detecting persistence mechanisms. Investigators use this data to identify malicious startup items, detect unauthorized persistence, track legitimate startup applications, identify suspicious LNK files, verify startup item legitimacy, correlate with malware execution, and detect persistence via shortcuts.
Last updated
Was this helpful?