Environment
- Windows 11 (23H2) [also reproducible on Windows 10 22H2]
- Autoruns v14.11 (build 2024-02-06, Sysinternals)
- Tested both normal user context and elevated (Administrator) mode
Issue
Autoruns currently lists shortcuts from:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
but does not display entries located in the user’s Startup folder:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
(e.g. C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).
This results in per-user startup items (such as Pumble.lnk, Linear.exe, etc.) launching correctly at logon but being completely invisible in Autoruns’ Logon or Everything tabs.
Expected behavior
Autoruns documentation states:
“This utility shows you what programs are configured to run during system bootup or login, including ones in your startup folder…”
Therefore, both the All Users and per-user startup folders should be enumerated when scanning the current user profile, particularly when:
- “Scan only per-user locations” is enabled, or
- running Autoruns non-elevated under that profile.
Actual behavior
Only the ProgramData (common) startup folder entries appear.
Per-user %APPDATA% startup entries are missing even when Autoruns is run non-elevated or with “Scan only per-user locations” checked.
Steps to reproduce
-
Place any shortcut (e.g., notepad.exe.lnk) in:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
-
Run Autoruns v14.11 (both normal and elevated).
-
Observe: the shortcut is not listed in any tab.
-
Place a shortcut in:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
-
Run Autoruns again → the common entry appears correctly.
Impact
This creates a visibility gap for forensic analysis, system auditing, and malware hunting:
- Per-user Startup folder persistence mechanisms execute at every login via Explorer,
- Yet are invisible in Autoruns, WMI (
Win32_StartupCommand), and many EDR tools relying on those sources.
This could be exploited by unwanted software or malware for stealth persistence.
Suggested resolution
Add explicit enumeration of:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
when in all cases. And search this folder and not the common one when respecting “Scan only per-user locations” setting.
Attachments
The screenshot demonstrates both Startup folders side-by-side:
- Top: user Startup folder with multiple
.lnk files (Pumble.lnk, etc.)
- Bottom: ProgramData Startup folder (shown correctly in Autoruns)
- Autoruns window (left) confirming only common Startup entries appear.
With "Scan only per-user locations":
(P.S. Also would be good to update https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns to specify that all startup folders are searched)
Environment
Issue
Autoruns currently lists shortcuts from:
but does not display entries located in the user’s Startup folder:
(e.g.
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).This results in per-user startup items (such as
Pumble.lnk,Linear.exe, etc.) launching correctly at logon but being completely invisible in Autoruns’ Logon or Everything tabs.Expected behavior
Autoruns documentation states:
Therefore, both the All Users and per-user startup folders should be enumerated when scanning the current user profile, particularly when:
Actual behavior
Only the ProgramData (common) startup folder entries appear.
Per-user
%APPDATA%startup entries are missing even when Autoruns is run non-elevated or with “Scan only per-user locations” checked.Steps to reproduce
Place any shortcut (e.g.,
notepad.exe.lnk) in:Run Autoruns v14.11 (both normal and elevated).
Observe: the shortcut is not listed in any tab.
Place a shortcut in:
Run Autoruns again → the common entry appears correctly.
Impact
This creates a visibility gap for forensic analysis, system auditing, and malware hunting:
Win32_StartupCommand), and many EDR tools relying on those sources.This could be exploited by unwanted software or malware for stealth persistence.
Suggested resolution
Add explicit enumeration of:
when in all cases. And search this folder and not the common one when respecting “Scan only per-user locations” setting.
Attachments
The screenshot demonstrates both Startup folders side-by-side:
.lnkfiles (Pumble.lnk, etc.)With "Scan only per-user locations":
(P.S. Also would be good to update https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns to specify that all startup folders are searched)