# Enumerate ## Commands

Command	Description
`tasklist /startup`	Lists all auto-start processes registered on the system.
`wmic startup list full`	Lists detailed information about auto-start entries using WMIC.
`wmic startup get caption,command`	View Startup Processes.
`Get-CimInstance Win32_StartupCommand`	Retrieves auto-start commands using CIM.
`Get-WmiObject Win32_Service \| Where-Object {$_.StartMode -eq "Auto"}`	Lists services set to start automatically.
`wmic service list brief \| findstr /i "auto"`	Lists services set to start automatically using WMIC.
`Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'`	Lists registry entries for auto-start programs in HKLM.
`Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'`	Lists registry entries for auto-start programs in HKCU.

## Sysinternals

Command	Description
`autorunsc -a b`	Shows files with attribute "BootExecute". Only Microsoft processes should be running at boot.
`autorunsc -a t`	Shows tasks set to run at startup.
`autorunsc -m`	Filters out software that says it is Microsoft
`autorunsc -m -s`	Filters out software signed by Microsoft
`autorunsc -s`	Services
`autorunsc -t`	Tasks
`autorunsc -b`	Boot execute
`autorunsc -d`	App init DLLs

## File Locations **Individual User Startup (Win10):** ```powershell "C:\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" ``` **Old Individual User Startup:** ```powershell "C:\Documents & Settings\%userprofile%\Start Menu\Programs\Startup" ``` **All Users Startup (Win10):** ```powershell "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" ``` **Old All Users Startup:** ```powershell "C:\Documents & Settings\All Users\StartMenu\Programs\StartUp" ```