GCIH · Question #673
Where would an incident handler search for autostart extensibility points (ASEPs) on a Windows host?
The correct answer is B. Local machine registry hive. Autostart Extensibility Points (ASEPs) on Windows are primarily stored in the registry, especially under the local machine hive, where programs register themselves to run automatically at startup.
Question
Where would an incident handler search for autostart extensibility points (ASEPs) on a Windows host?
Options
- AFirewall configuration control panel
- BLocal machine registry hive
- CWindows Temp Directory
- DSecurity event logs
How the community answered
(25 responses)- B88% (22)
- C8% (2)
- D4% (1)
Why each option
Autostart Extensibility Points (ASEPs) on Windows are primarily stored in the registry, especially under the local machine hive, where programs register themselves to run automatically at startup.
The firewall configuration control panel manages inbound and outbound network traffic rules and has no role in defining or storing autostart program entries.
The Windows local machine registry hive (HKLM) contains well-known ASEP locations such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\System\CurrentControlSet\Services, and related subkeys. Malware and attackers frequently abuse these keys to achieve persistence by registering executables that launch automatically on every system boot. Incident handlers use tools like Sysinternals Autoruns or manual registry inspection to audit these locations for unauthorized entries.
The Windows Temp directory is a staging area for temporary files and is not a mechanism used by the operating system to automatically execute programs at startup.
Security event logs record security-related events such as authentication attempts and policy changes, but they do not store or define autostart program configurations.
Concept tested: Windows registry ASEPs and persistence locations
Source: https://attack.mitre.org/techniques/T1547/001/
Topics
Community Discussion
No community discussion yet for this question.