I came across a forensics CTF challenge where they mentioned something about a weird window popping up at startup. It was kinda clear that there must be a scheduled task. Here we go:
vol.py -f file.raw --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"
Comments