# Get-AutoRun.ps1 # Lists programs that auto-start via Run/RunOnce keys and Startup folders param( [switch]$IncludeDisabled ) Write-Host "=== Auto-Start Programs ===" -ForegroundColor Cyan Write-Host "Programs configured to run at startup`n" $foundAny = $false # Registry Run keys to check $runKeys = @( @{Path="HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"; Scope="System (All Users)"}, @{Path="HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"; Scope="System (All Users, Once)"}, @{Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"; Scope="Current User"}, @{Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"; Scope="Current User (Once)"}, @{Path="HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"; Scope="System (32-bit on 64-bit)"}, @{Path="HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"; Scope="System (32-bit, Once)"} ) # Check Run/RunOnce registry keys Write-Host "--- Registry Run Keys ---" -ForegroundColor Yellow foreach ($key in $runKeys) { if (Test-Path $key.Path) { $entries = Get-ItemProperty -Path $key.Path -ErrorAction SilentlyContinue if ($entries) { $props = $entries.PSObject.Properties | Where-Object { $_.Name -notmatch "^PS" } if ($props) { $foundAny = $true Write-Host "`n$($key.Scope)" -ForegroundColor Green Write-Host " Path: $($key.Path)" -ForegroundColor Gray foreach ($prop in $props) { Write-Host " - $($prop.Name):" -ForegroundColor Cyan Write-Host " $($prop.Value)" -ForegroundColor White } } } } } # Startup folders Write-Host "`n--- Startup Folders ---" -ForegroundColor Yellow $startupFolders = @( @{Path="$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"; Scope="Current User"}, @{Path="$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"; Scope="All Users"} ) foreach ($folder in $startupFolders) { if (Test-Path $folder.Path) { $items = Get-ChildItem -Path $folder.Path -File -ErrorAction SilentlyContinue if ($items) { $foundAny = $true Write-Host "`n$($folder.Scope)" -ForegroundColor Green Write-Host " Path: $($folder.Path)" -ForegroundColor Gray foreach ($item in $items) { Write-Host " - $($item.Name)" -ForegroundColor Cyan Write-Host " $($item.FullName)" -ForegroundColor White # If it's a shortcut, try to get target if ($item.Extension -eq ".lnk") { try { $shell = New-Object -ComObject WScript.Shell $shortcut = $shell.CreateShortcut($item.FullName) if ($shortcut.TargetPath) { Write-Host " Target: $($shortcut.TargetPath)" -ForegroundColor Gray if ($shortcut.Arguments) { Write-Host " Arguments: $($shortcut.Arguments)" -ForegroundColor Gray } } [System.Runtime.Interopservices.Marshal]::ReleaseComObject($shell) | Out-Null } catch { # Silently fail if can't read shortcut } } } } } } # Task Scheduler startup tasks (basic check) Write-Host "`n--- Task Scheduler (Run at Startup) ---" -ForegroundColor Yellow try { $startupTasks = Get-ScheduledTask -ErrorAction SilentlyContinue | Where-Object { $_.Triggers.CimClass.CimClassName -contains "MSFT_TaskBootTrigger" -or $_.Triggers.CimClass.CimClassName -contains "MSFT_TaskLogonTrigger" } | Where-Object { $_.State -ne "Disabled" -or $IncludeDisabled } if ($startupTasks) { $foundAny = $true foreach ($task in $startupTasks) { $triggerType = if ($task.Triggers.CimClass.CimClassName -contains "MSFT_TaskBootTrigger") { "At system startup" } else { "At user logon" } $state = if ($task.State -eq "Disabled") { " (DISABLED)" } else { "" } Write-Host "`n - $($task.TaskName)$state" -ForegroundColor Cyan Write-Host " Path: $($task.TaskPath)" -ForegroundColor Gray Write-Host " Trigger: $triggerType" -ForegroundColor Gray Write-Host " State: $($task.State)" -ForegroundColor Gray if ($task.Actions.Execute) { Write-Host " Command: $($task.Actions.Execute)" -ForegroundColor White if ($task.Actions.Arguments) { Write-Host " Arguments: $($task.Actions.Arguments)" -ForegroundColor Gray } } } } else { Write-Host " No startup tasks found" -ForegroundColor Gray } } catch { Write-Host " Error accessing scheduled tasks: $_" -ForegroundColor Red } # Windows Services set to Automatic Write-Host "`n--- Services (Automatic Start) ---" -ForegroundColor Yellow try { # Try WMI method first (more reliable) $autoServices = Get-CimInstance Win32_Service -ErrorAction Stop | Where-Object { $_.StartMode -eq "Auto" } if ($autoServices) { $foundAny = $true $running = $autoServices | Where-Object { $_.State -eq "Running" } $stopped = $autoServices | Where-Object { $_.State -ne "Running" } Write-Host "`nRunning: $($running.Count) | Stopped: $($stopped.Count) | Total: $($autoServices.Count)" -ForegroundColor Green Write-Host "(Use Get-Services.ps1 for detailed service information)" -ForegroundColor Gray } else { Write-Host " No automatic services found" -ForegroundColor Gray } } catch { Write-Host " Unable to enumerate services" -ForegroundColor Yellow } if (-not $foundAny) { Write-Host "`nNo auto-start programs found" -ForegroundColor Gray } Write-Host "`nNote: Use -IncludeDisabled to show disabled scheduled tasks" -ForegroundColor Cyan Write-Host "Forensic value: Shows persistence mechanisms and startup performance impacts" -ForegroundColor Cyan