Collecting Investigation Package - Autorun entries

%3CLINGO-SUB%20id%3D%22lingo-sub-2030753%22%20slang%3D%22en-US%22%3ECollecting%20Investigation%20Package%20-%20Autorun%20entries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2030753%22%20slang%3D%22en-US%22%3E%3CP%3EUsing%20Defender%20for%20Endpoint%20I%20have%20Collected%20Investigation%20package%20for%20a%20computer%2C%20but%20seems%20the%20Autorun%20registry%20entries%20only%20include%20the%26nbsp%3BHKEY_LOCAL_MACHINE%20not%20HKEY_Current_User%26nbsp%3B%3C%2FP%3E%3CP%3EI%20mean%20entries%20like%26nbsp%3B%3CSTRONG%3EComputer%5CHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5CWindows%5CCurrentVersion%5CRunonce%3C%2FSTRONG%3E%26nbsp%3Bis%20this%20something%20by%20design%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Using Defender for Endpoint I have Collected Investigation package for a computer, but seems the Autorun registry entries only include the HKEY_LOCAL_MACHINE not HKEY_Current_User 

I mean entries like Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce is this something by design?

 

 

0 Replies