Startup Items

Overview

Evidence: Startup Items
Description: Enumerate Startup Items
Category: System
Platform: windows
Short Name: strtppr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

Windows Startup folders contain programs and shortcuts that run automatically when a user logs on. There are per-user and all-users startup folders that Windows processes during logon.

This is one of the most common persistence mechanisms and is easily accessible to users and malware. Startup folder contents can include executables, scripts, and LNK (shortcut) files.

Data Collected

This collector gathers structured data about startup items.

Startup Items Data

Field	Description	Example
Entry	Path to startup item	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware.lnk
LNKHash	Hash of LNK file	SHA256:a1b2c3…
LNKFileModified	LNK file modified time	2023-10-15T14:30:00
LNKFileAccessed	LNK file accessed time	2023-10-15T15:45:00
LNKFileCreated	LNK file creation time	2023-10-15T14:00:00
CommandLine	Target command line	C:\Temp\malware.exe —hidden
AutorunsStartupFolderRowID	Foreign key to startup entry	1

Collection Method

This collector searches startup folders:

• Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
• ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

For each file found:

• If it’s a LNK file, parses it to extract target path and arguments
• Calculates hash of the LNK file
• Extracts LNK timestamps
• Parses command line for executables and arguments
• If not a LNK file, treats the file itself as the startup item

Forensic Value

Startup folder analysis is fundamental for detecting persistence mechanisms. Investigators use this data to identify malicious startup items, detect unauthorized persistence, track legitimate startup applications, identify suspicious LNK files, verify startup item legitimacy, correlate with malware execution, and detect persistence via shortcuts.