Enumerate

Commands

tasklist /startup

Lists all auto-start processes registered on the system.

wmic startup list full

Lists detailed information about auto-start entries using WMIC.

wmic startup get caption,command

View Startup Processes.

Get-CimInstance Win32_StartupCommand

Retrieves auto-start commands using CIM.

Get-WmiObject Win32_Service | Where-Object {$_.StartMode -eq "Auto"}

Lists services set to start automatically.

wmic service list brief | findstr /i "auto"

Lists services set to start automatically using WMIC.

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'

Lists registry entries for auto-start programs in HKLM.

Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'

Lists registry entries for auto-start programs in HKCU.

Sysinternals

autorunsc -a b

Shows files with attribute "BootExecute". Only Microsoft processes should be running at boot.

autorunsc -a t

Shows tasks set to run at startup.

autorunsc -m

Filters out software that says it is Microsoft

autorunsc -m -s

Filters out software signed by Microsoft

autorunsc -s

Services

autorunsc -t

Tasks

autorunsc -b

Boot execute

autorunsc -d

App init DLLs

File Locations

Individual User Startup (Win10):

"C:\Users<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

Old Individual User Startup:

"C:\Documents & Settings\%userprofile%\Start Menu\Programs\Startup"

All Users Startup (Win10):

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Old All Users Startup:

"C:\Documents & Settings\All Users\StartMenu\Programs\StartUp"

PreviousAutorun / Startup NextModify

Last updated 1 year ago

Was this helpful?