Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Collecting Investigation Package - Autorun entries

Brass Contributor

Using Defender for Endpoint I have Collected Investigation package for a computer, but seems the Autorun registry entries only include the HKEY_LOCAL_MACHINE not HKEY_Current_User 

I mean entries like Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce is this something by design?

 

 

0 Replies