“Analyze Offline System” Feature Added in Autoruns from Windows Sysinternals

Autoruns from Windows Sysinternals is a must-have tool for every troubleshooter, and it has always been in my toolkit (and kept updated regularly) for years. In v10.02 a new option "Analyze Offline System…" was added in Autoruns which enables you to inspect the startup configuration, services and other settings of an offline system.

You simply connect the subject PC’s hard disk as a slave drive to another system, or mount the drive/image which you want to analyze offline (for Malware / Rootkit removal, or for other purposes) in another system, and fire up Autoruns as Administrator (elevated). Mention the Windows directory and user profile locations of the offline system, and Autoruns will enumerate startup points and other settings from the system registry hives and NTUSER.DAT, from the relative directories of the mentioned paths.

  • System Registry Hives are located at \Windows\System32\Config
  • User Registry Hive NTUSER.DAT located at \Users\{username}

Autoruns and Dead Computer Forensics is a nice article written by Chad Tilbury – which you can go through for more information. Analyze Offline System feature in Autoruns would come in handy in situations where remote support/login to the problematic PC is not an option, or if the PC is in unbootable state especially in the aftermath of Malware / Rootkit attack or perhaps, due to other misconfiguration.

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in Windows — delivering support for Microsoft's consumer products. He has been a Microsoft MVP (2003-2012) who contributes to various Windows support forums.