Startup Folder

WindowsPersistence MechanismsDisk Image

Location

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Description

Per-user and all-users startup folders containing shortcuts, scripts, or executables that run automatically at user logon. Items can be LNK files, batch scripts, VBS scripts, or direct executables.

Forensic Value

The Startup folder is a simple but effective persistence mechanism. Any file placed here executes at user logon with the privileges of the logging-on user. Per-user folders provide user attribution for the persistence mechanism. File creation timestamps on items in the Startup folder indicate when persistence was installed. Comparing contents against a known-good baseline or across multiple systems identifies attacker-added persistence items.

Tools Required

KAPEAutoruns (Sysinternals)PowerShelldir /s

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target StartupFolders

Autoruns

autorunsc.exe -a l -ct -h -s > C:\output\autoruns_startup.csv

PowerShell

Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" -Force; Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" -Force

cmd

dir /s /b "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\"

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1547.001

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote