icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-Autoruns
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Technical Addon for Splunk to ingest Sysinternals' Autoruns output including the ability to only index changed entries

Technical Addon for Splunk to ingest Sysinternal's Autoruns Output

This TA executes the Sysinternals Autoruns CLI utility and returns the results to be picked up by Splunk.

This TA was inspired by Palantir's AutorunsToWinEventLog (https://github.com/palantir/windows-event-forwarding), but instead of creating a scheduled task and writing to the EventLog it uses a scripted input directly.

Make sure to download autorunsc64.exe from https://live.sysinternals.com/autorunsc64.exe and place it into the bin folder. To enable the input copy default\inputs.conf into local and set disabled = false.

Warning: This script gets executed with a priority class of 'BelowNormal' to avoid performance impacts, still the scheduling of the script should be chosen wisely and impact to systems should be tested before using it on a large scale.

It's possible (and probably advised) to create a baseline and only log newly created or removed entries (you know...splunk and volume based licensing...) Additionally the recreation of the baseline can be scheduled as well to work with retention policies. The following example creates a new baseline every 7 days and logs changes every 4 hours.

script = . "$SplunkHome\etc\apps\TA-autoruns\bin\autoruns.ps1" -MaxBaselineAge 7:00:00:00
schedule = 0 */4 * * *
sourcetype = autoruns
disabled = false

If you don't specify -MaxBaselineAge only changes will be logged per default:

script = . "$SplunkHome\etc\apps\TA-autoruns\bin\autoruns.ps1"
schedule = 0 */4 * * *
sourcetype = autoruns
disabled = false

If you want to force the creation of a new baseline on every run you can pass the -Baseline argument

script = . "$SplunkHome\etc\apps\TA-autoruns\bin\autoruns.ps1 -Baseline"
schedule = 0 */4 * * *
sourcetype = autoruns
disabled = false

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.