# Startup Items

## Overview

**Evidence:** Startup Items\
**Description:** Enumerate Startup Items\
**Category:** System\
**Platform:** windows\
**Short Name:** strtppr\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

Windows Startup folders contain programs and shortcuts that run automatically when a user logs on. There are per-user and all-users startup folders that Windows processes during logon.

This is one of the most common persistence mechanisms and is easily accessible to users and malware. Startup folder contents can include executables, scripts, and LNK (shortcut) files.

## Data Collected

This collector gathers structured data about startup items.

### Startup Items Data

| Field                        | Description                  | Example                                                                                 |
| ---------------------------- | ---------------------------- | --------------------------------------------------------------------------------------- |
| `Entry`                      | Path to startup item         | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware.lnk |
| `LNKHash`                    | Hash of LNK file             | SHA256:a1b2c3...                                                                        |
| `LNKFileModified`            | LNK file modified time       | 2023-10-15T14:30:00                                                                     |
| `LNKFileAccessed`            | LNK file accessed time       | 2023-10-15T15:45:00                                                                     |
| `LNKFileCreated`             | LNK file creation time       | 2023-10-15T14:00:00                                                                     |
| `CommandLine`                | Target command line          | C:\Temp\malware.exe --hidden                                                            |
| `AutorunsStartupFolderRowID` | Foreign key to startup entry | 1                                                                                       |

## Collection Method

This collector searches startup folders:

* `Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`
* `ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp`

For each file found:

* If it's a LNK file, parses it to extract target path and arguments
* Calculates hash of the LNK file
* Extracts LNK timestamps
* Parses command line for executables and arguments
* If not a LNK file, treats the file itself as the startup item

## Forensic Value

Startup folder analysis is fundamental for detecting persistence mechanisms. Investigators use this data to identify malicious startup items, detect unauthorized persistence, track legitimate startup applications, identify suspicious LNK files, verify startup item legitimacy, correlate with malware execution, and detect persistence via shortcuts.