For decades, Windows system administrators, forensic analysts, and power users have relied on Microsoft Sysinternals Autoruns as the ultimate utility for managing startup processes. Unlike the simplistic MSConfig or the rudimentary Task Manager Startup tab, Autoruns delves deep into the shadowy corners of the Windows Registry, scheduled tasks, services, drivers, and dozens of Auto-start Extensibility Points (ASEPs).
For forensic analysis of an ARM64 disk image offline:
You cannot run ARM64 binaries on an x64 forensic workstation. Instead, use autoruns64.exe (x64) against the mounted offline registry hives by pointing Autoruns to the C:\Windows\System32\config folder of the image. Architecture emulation does not matter here. autoruns 64 vs autoruns 64a
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunVerdict: For driver forensics, always use the native build on ARM64. Emulation won’t miss drivers, but performance is worse. Autoruns 64 vs Autoruns 64a: Unmasking the Two
Autoruns64.exe: This is the version for standard 64-bit Intel or AMD processors (x64). This is what most modern Windows PCs and laptops should use. For forensic analysis of an ARM64 disk image
When it comes to managing startup programs and services on a Windows system, two popular tools often come to mind: Autoruns 64 and Autoruns 64a. Both are part of the Sysinternals suite, a collection of advanced system utilities developed by Mark Russinovich and acquired by Microsoft. While they share a similar name and purpose, there are key differences between Autoruns 64 and Autoruns 64a that can significantly impact their usability and effectiveness in different scenarios.