How to Access or Modify StartUp Items in the Window Registry

Some applications launch themselves whenever you start your computer and load Windows.  In most cases, this is the desired behavior.  However in some instances, malicious programs such as spyware, Trojans, worms, viruses load in this manner and hijack your computer. It is important to stay vigilant and periodically monitor your startup registry keys and delete keys that are unwarranted.


 


REGEDIT.EXE is the program you run to enter into the windows registry


You can find ALOT of the startup programs which are running in the background in your Windows Registry.  For those who enjoy managing Windows via the command line, you don’t need to launch a GUI application such as REGEDIT and use a pesky mouse. Monad offers a portal to the Registry world via a cmdlet provider called Registry Provider.


 


So, how do we access the Registry Provider? Think of the provider as very similar to how you would navigate a File System.  The registry keys are treated equivalent to folders in the File System and registry values are treated equivalent to files in the File System.


 


So let’s explore a bit by starting MSH and then set the location to the root of the Registry Provider.


 


MSH C:\monad> cd Registry::


MSH Microsoft.Management.Automation.Core\Registry::> dir


Hive:


































SKC


VC


Name


Property


5


0


HKEY_LOCAL_MACHINE


{}


15


0


HKEY_CURRENT_USER             


{}


535


1


HKEY_CLASSES_ROOT


{EditFlags}


0


2


HKEY_CURRENT_CONFIG           


{GLOBAL, COSTLY}


 


10


0


HKEY_USERS


{}


The following are the two most common registry keys which load applications at start up.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
– These programs automatically start when any user is logged in. It is used for all users on this computer


 


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
– The programs here automatically start when the current user logs in. It is used only for current logoned user.


So let’s navigate to the HKEY_LOCAL_MACHINE folder. 


MSH Microsoft.Management.Automation.Core\Registry::> cd HKLM:\


OR-


MSH Microsoft.Management.Automation.Core\Registry::> cd HKey_Local_Machine


Note: Don’t worry about case sensitivity, since Monad is not a case sensitive language


 


Both operations will lead you to same location.


 


MSH HLKM:\> cd Software\Microsoft\Windows\CurrentVersion


Note: Don’t worry about case sensitivity, since Monad is not a case sensitive language


 


Now we want to view what is currently registered to startup on every Windows boot up.


 


MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> dir


 


 


   Hive: Microsoft.Management.Automation.Core\Registry::HKEY_LOCAL_MACHINE\SOFT


WARE\Microsoft\Windows\CurrentVersion\Run














SKC


VC


Name


Property


3


0


OptionalComponents


{}


 


So how come we are not seeing the applications that start up when Windows is loaded.  That is because the registry values are treated as properties on an existing item or registry key.  To view the applications loaded at startup, type the following command:


 


MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> get-itemproperty .


 


This will list all the registry values under this key.  The same steps can be repeated for the HKey_Current_User folder.


 


Once you identify any unwanted registry values, then you can perform a delete operation in Monad via the remove-itemproperty cmdlet.


 


MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> remove-itemproperty -path . –property [PropertyName]


Note: Be wary of using wildcard characters since you can accidentally delete all item properties by specifying “*” in the property parameter.


 


-Satish

[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]