One of the less visible aspects of security research are constant failures. Anyone who ‘pokes around’ fails a lot. I covered some of my research fails in the past, so in a humble attempt to continue this tradition I am writing another quick post about… well… yet another fail.
The test I came up with was based on the following:
– Anytime you disable an autorun entry, it is being removed from the startup location, and migrated to the ‘AutorunsDisabled’ bucket – either created as a Registry key or a Folder
– I thought, what if I create an entry, mark it as disabled in Autoruns (forcing it to be moved to the ‘AutorunsDisabled’ bucket), and then re-add it in the same place. Without reverse-engineering the Autoruns I was hypothesizing there is a possibility that a presence of ‘AutorunsDisabled’ Registry key, or respective Folder will prevent Autoruns from displaying the entry in Autoruns, or will somehow affect the logic of this display.
I was wrong. A quick test confirmed that when both entries are present, Autoruns simply displays them all:
I fought the Autoruns, and Autoruns won…