mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add startup and persistence analysis tools

Browse Source 
Add Get-AutoRun.ps1, Get-ScheduledTasks.ps1, and Get-Services.ps1
for analyzing auto-start programs and persistence mechanisms.

Get-AutoRun: Run/RunOnce keys, Startup folders, startup tasks
Get-ScheduledTasks: Detailed task analysis with filters
Get-Services: Service enumeration using WMI/CIM

Uses Get-CimInstance for reliable service enumeration, avoiding
Get-Service permission issues. Multiple filters and output modes.

Update TODO.md.
This commit is contained in:
mnerv
2026-02-03 22:39:35 +01:00
parent ce250b9725
commit ed0c1983b3
4 changed files with 409 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
windows/Get-AutoRun.ps1 Normal file
View File

@@ -0,0 +1,156 @@
# Get-AutoRun.ps1
# Lists programs that auto-start via Run/RunOnce keys and Startup folders
param(
[switch]$IncludeDisabled
)
Write-Host "=== Auto-Start Programs ===" -ForegroundColor Cyan
Write-Host "Programs configured to run at startup`n"
$foundAny = $false
# Registry Run keys to check
$runKeys = @(
@{Path="HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"; Scope="System (All Users)"},
@{Path="HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"; Scope="System (All Users, Once)"},
@{Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"; Scope="Current User"},
@{Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"; Scope="Current User (Once)"},
@{Path="HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"; Scope="System (32-bit on 64-bit)"},
@{Path="HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"; Scope="System (32-bit, Once)"}
)
# Check Run/RunOnce registry keys
Write-Host "--- Registry Run Keys ---" -ForegroundColor Yellow
foreach ($key in $runKeys) {
if (Test-Path $key.Path) {
$entries = Get-ItemProperty -Path $key.Path -ErrorAction SilentlyContinue
if ($entries) {
$props = $entries.PSObject.Properties | Where-Object { $_.Name -notmatch "^PS" }
if ($props) {
$foundAny = $true
Write-Host "`n$($key.Scope)" -ForegroundColor Green
Write-Host " Path: $($key.Path)" -ForegroundColor Gray
foreach ($prop in $props) {
Write-Host " - $($prop.Name):" -ForegroundColor Cyan
Write-Host " $($prop.Value)" -ForegroundColor White
}
}
}
}
}
# Startup folders
Write-Host "`n--- Startup Folders ---" -ForegroundColor Yellow
$startupFolders = @(
@{Path="$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"; Scope="Current User"},
@{Path="$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"; Scope="All Users"}
)
foreach ($folder in $startupFolders) {
if (Test-Path $folder.Path) {
$items = Get-ChildItem -Path $folder.Path -File -ErrorAction SilentlyContinue
if ($items) {
$foundAny = $true
Write-Host "`n$($folder.Scope)" -ForegroundColor Green
Write-Host " Path: $($folder.Path)" -ForegroundColor Gray
foreach ($item in $items) {
Write-Host " - $($item.Name)" -ForegroundColor Cyan
Write-Host " $($item.FullName)" -ForegroundColor White
# If it's a shortcut, try to get target
if ($item.Extension -eq ".lnk") {
try {
$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut($item.FullName)
if ($shortcut.TargetPath) {
Write-Host " Target: $($shortcut.TargetPath)" -ForegroundColor Gray
if ($shortcut.Arguments) {
Write-Host " Arguments: $($shortcut.Arguments)" -ForegroundColor Gray
}
}
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($shell) | Out-Null
} catch {
# Silently fail if can't read shortcut
}
}
}
}
}
}
# Task Scheduler startup tasks (basic check)
Write-Host "`n--- Task Scheduler (Run at Startup) ---" -ForegroundColor Yellow
try {
$startupTasks = Get-ScheduledTask -ErrorAction SilentlyContinue |
Where-Object {
$_.Triggers.CimClass.CimClassName -contains "MSFT_TaskBootTrigger" -or
$_.Triggers.CimClass.CimClassName -contains "MSFT_TaskLogonTrigger"
} |
Where-Object { $_.State -ne "Disabled" -or $IncludeDisabled }
if ($startupTasks) {
$foundAny = $true
foreach ($task in $startupTasks) {
$triggerType = if ($task.Triggers.CimClass.CimClassName -contains "MSFT_TaskBootTrigger") {
"At system startup"
} else {
"At user logon"
}
$state = if ($task.State -eq "Disabled") { " (DISABLED)" } else { "" }
Write-Host "`n - $($task.TaskName)$state" -ForegroundColor Cyan
Write-Host " Path: $($task.TaskPath)" -ForegroundColor Gray
Write-Host " Trigger: $triggerType" -ForegroundColor Gray
Write-Host " State: $($task.State)" -ForegroundColor Gray
if ($task.Actions.Execute) {
Write-Host " Command: $($task.Actions.Execute)" -ForegroundColor White
if ($task.Actions.Arguments) {
Write-Host " Arguments: $($task.Actions.Arguments)" -ForegroundColor Gray
}
}
}
} else {
Write-Host " No startup tasks found" -ForegroundColor Gray
}
} catch {
Write-Host " Error accessing scheduled tasks: $_" -ForegroundColor Red
}
# Windows Services set to Automatic
Write-Host "`n--- Services (Automatic Start) ---" -ForegroundColor Yellow
try {
# Try WMI method first (more reliable)
$autoServices = Get-CimInstance Win32_Service -ErrorAction Stop |
Where-Object { $_.StartMode -eq "Auto" }
if ($autoServices) {
$foundAny = $true
$running = $autoServices | Where-Object { $_.State -eq "Running" }
$stopped = $autoServices | Where-Object { $_.State -ne "Running" }
Write-Host "`nRunning: $($running.Count) | Stopped: $($stopped.Count) | Total: $($autoServices.Count)" -ForegroundColor Green
Write-Host "(Use Get-Services.ps1 for detailed service information)" -ForegroundColor Gray
} else {
Write-Host " No automatic services found" -ForegroundColor Gray
}
} catch {
Write-Host " Unable to enumerate services" -ForegroundColor Yellow
}
if (-not $foundAny) {
Write-Host "`nNo auto-start programs found" -ForegroundColor Gray
}
Write-Host "`nNote: Use -IncludeDisabled to show disabled scheduled tasks" -ForegroundColor Cyan
Write-Host "Forensic value: Shows persistence mechanisms and startup performance impacts" -ForegroundColor Cyan