Autoruns v14.11 does not enumerate user-level Startup folder (%APPDATA%) entries

[ignat980]

Environment

• Windows 11 (23H2) [also reproducible on Windows 10 22H2]
• Autoruns v14.11 (build 2024-02-06, Sysinternals)
• Tested both normal user context and elevated (Administrator) mode

Issue
Autoruns currently lists shortcuts from:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

but does not display entries located in the user’s Startup folder:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

(e.g. C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).

This results in per-user startup items (such as Pumble.lnk, Linear.exe, etc.) launching correctly at logon but being completely invisible in Autoruns’ Logon or Everything tabs.

Expected behavior
Autoruns documentation states:

“This utility shows you what programs are configured to run during system bootup or login, including ones in your startup folder…”

Therefore, both the All Users and per-user startup folders should be enumerated when scanning the current user profile, particularly when:

• “Scan only per-user locations” is enabled, or
• running Autoruns non-elevated under that profile.

Actual behavior
Only the ProgramData (common) startup folder entries appear.
Per-user %APPDATA% startup entries are missing even when Autoruns is run non-elevated or with “Scan only per-user locations” checked.

---

Steps to reproduce

1. Place any shortcut (e.g., notepad.exe.lnk) in:

   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   

2. Run Autoruns v14.11 (both normal and elevated).

3. Observe: the shortcut is not listed in any tab.

4. Place a shortcut in:

   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
   

5. Run Autoruns again → the common entry appears correctly.

---

Impact

This creates a visibility gap for forensic analysis, system auditing, and malware hunting:

• Per-user Startup folder persistence mechanisms execute at every login via Explorer,
• Yet are invisible in Autoruns, WMI (Win32_StartupCommand), and many EDR tools relying on those sources.

This could be exploited by unwanted software or malware for stealth persistence.

---

Suggested resolution

Add explicit enumeration of:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

when in all cases. And search this folder and not the common one when respecting “Scan only per-user locations” setting.

---

Attachments

The screenshot demonstrates both Startup folders side-by-side:

• Top: user Startup folder with multiple .lnk files (Pumble.lnk, etc.)
• Bottom: ProgramData Startup folder (shown correctly in Autoruns)
• Autoruns window (left) confirming only common Startup entries appear.

With "Scan only per-user locations":

(P.S. Also would be good to update https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns to specify that all startup folders are searched)