{"id":10511,"date":"2006-04-25T12:18:34","date_gmt":"2006-04-25T12:18:34","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2006\/04\/25\/how-to-access-or-modify-startup-items-in-the-window-registry\/"},"modified":"2019-02-18T13:24:53","modified_gmt":"2019-02-18T20:24:53","slug":"how-to-access-or-modify-startup-items-in-the-window-registry","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/how-to-access-or-modify-startup-items-in-the-window-registry\/","title":{"rendered":"How to Access or Modify StartUp Items in the Window Registry"},"content":{"rendered":"

Some applications launch themselves whenever you start your computer and load Windows.  <\/span>In most cases, this is the desired behavior.  <\/span>However in some instances, malicious programs such as spyware, Trojans, worms, viruses load in this manner and hijack your computer. It is important to stay vigilant and periodically monitor your startup registry keys and delete keys that are unwarranted.<\/span><\/p>\n

 <\/span><\/p>\n

REGEDIT.EXE is the program you run to enter into the windows registry<\/span><\/p>\n

You can find ALOT of the startup programs which are running in the background in your Windows Registry.  <\/span>For those who enjoy managing Windows via the command line, you don\u2019t need to launch a GUI application such as REGEDIT and use a pesky mouse. Monad offers a portal to the Registry world via a cmdlet provider called Registry Provider.<\/span><\/p>\n

 <\/span><\/p>\n

So, how do we access the Registry Provider? Think of the provider as very similar to how you would navigate a File System.  <\/span>The registry keys are treated equivalent to folders in the File System and registry values are treated equivalent to files in the File System.<\/span><\/p>\n

 <\/span><\/p>\n

So let\u2019s explore a bit by starting MSH and then set the location to the root of the Registry Provider.<\/span><\/p>\n

 <\/font><\/span><\/i><\/p>\n

MSH C:\\monad> cd Registry::<\/font><\/span><\/i><\/p>\n

MSH Microsoft.Management.Automation.Core\\Registry::> dir<\/font><\/span><\/i><\/p>\n

Hive:<\/font><\/span><\/i><\/p>\n\n\n\n\n\n\n\n\n
\n

SKC<\/font><\/span><\/p>\n<\/td>\n

\n

VC<\/font><\/span><\/p>\n<\/td>\n

\n

Name<\/font><\/span><\/p>\n<\/td>\n

\n

Property<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

5<\/font><\/span><\/p>\n<\/td>\n

\n

0<\/font><\/span><\/p>\n<\/td>\n

\n

HKEY_LOCAL_MACHINE<\/font><\/span><\/p>\n<\/td>\n

\n

{}<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

15<\/font><\/span><\/p>\n<\/td>\n

\n

0<\/font><\/span><\/p>\n<\/td>\n

\n

HKEY_CURRENT_USER              <\/span><\/font><\/span><\/p>\n<\/td>\n

\n

{}<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

535<\/font><\/span><\/p>\n<\/td>\n

\n

1<\/font><\/span><\/p>\n<\/td>\n

\n

HKEY_CLASSES_ROOT<\/font><\/span><\/p>\n<\/td>\n

\n

{EditFlags}<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

0<\/font><\/span><\/p>\n<\/td>\n

\n

2<\/font><\/span><\/p>\n<\/td>\n

\n

HKEY_CURRENT_CONFIG            <\/span><\/font><\/span><\/p>\n<\/td>\n

\n

{GLOBAL, COSTLY}<\/font><\/span><\/p>\n

 <\/font><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

10<\/font><\/span><\/p>\n<\/td>\n

\n

0<\/font><\/span><\/p>\n<\/td>\n

\n

HKEY_USERS<\/font><\/span><\/p>\n<\/td>\n

\n

{}<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The following are the two most common registry keys which load applications at start up.<\/span><\/p>\n

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]<\/font><\/span><\/b>
<\/span>\u2013 These programs automatically start when any user is logged in. It is used for all users on this computer<\/span><\/span><\/p>\n

 <\/b><\/p>\n

[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]<\/font><\/span><\/b>
<\/span>\u2013 The programs here automatically start when the current user logs in. It is used only for current logoned user.<\/span><\/p>\n

So let\u2019s navigate to the HKEY_LOCAL_MACHINE folder.  <\/span><\/span><\/p>\n

MSH Microsoft.Management.Automation.Core\\Registry::> cd HKLM:\\<\/font><\/span><\/i><\/p>\n

-OR-<\/span><\/p>\n

MSH Microsoft.Management.Automation.Core\\Registry::> cd HKey_Local_Machine<\/font><\/span><\/i><\/p>\n

Note: Don\u2019t worry about case sensitivity, since Monad is not a case sensitive language<\/span><\/p>\n

 <\/span><\/p>\n

Both operations will lead you to same location.<\/span><\/p>\n

 <\/span><\/p>\n

MSH HLKM:\\> cd Software\\Microsoft\\Windows\\CurrentVersion<\/font><\/span><\/i><\/p>\n

Note: Don\u2019t worry about case sensitivity, since Monad is not a case sensitive language<\/span><\/p>\n

 <\/span><\/p>\n

Now we want to view what is currently registered to startup on every Windows boot up.<\/span><\/p>\n

 <\/span><\/p>\n

MSH HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run> dir<\/font><\/span><\/i><\/p>\n

 <\/font><\/span><\/i><\/p>\n

 <\/font><\/span><\/p>\n

   <\/span>Hive: Microsoft.Management.Automation.Core\\Registry::HKEY_LOCAL_MACHINE\\SOFT<\/font><\/span><\/p>\n

WARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/font><\/span><\/p>\n\n\n\n\n
\n

SKC<\/font><\/span><\/p>\n<\/td>\n

\n

VC<\/font><\/span><\/p>\n<\/td>\n

\n

Name<\/font><\/span><\/p>\n<\/td>\n

\n

Property<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

3<\/font><\/span><\/p>\n<\/td>\n

\n

0<\/font><\/span><\/p>\n<\/td>\n

\n

OptionalComponents<\/font><\/span><\/p>\n<\/td>\n

\n

{}<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/font><\/span><\/p>\n

So how come we are not seeing the applications that start up when Windows is loaded.  <\/span>That is because the registry values are treated as properties on an existing item or registry key.  <\/span>To view the applications loaded at startup, type the following command:<\/span><\/p>\n

 <\/span><\/p>\n

MSH HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run> get-itemproperty . <\/font><\/span><\/i><\/p>\n

 <\/span><\/p>\n

This will list all the registry values under this key.  <\/span>The same steps can be repeated for the HKey_Current_User folder.<\/span><\/p>\n

 <\/p>\n

Once you identify any unwanted registry values, then you can perform a delete operation in Monad via the remove-itemproperty cmdlet.<\/span><\/p>\n

 <\/font><\/p>\n

MSH HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run> remove-itemproperty -path . \u2013property [PropertyName]<\/font><\/span><\/i><\/p>\n

Note: Be wary of using wildcard characters since you can accidentally delete all item properties by specifying \u201c*\u201d in the property parameter.<\/span><\/p>\n

 <\/span><\/p>\n

-Satish<\/span><\/p>\n

[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.<\/i>]<\/p>\n","protected":false},"excerpt":{"rendered":"

Some applications launch themselves whenever you start your computer and load Windows.  In most cases, this is the desired behavior.  However in some instances, malicious programs such as spyware, Trojans, worms, viruses load in this manner and hijack your computer. It is important to stay vigilant and periodically monitor your startup registry keys and delete […]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[10],"class_list":["post-10511","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","tag-faq"],"acf":[],"blog_post_summary":"

Some applications launch themselves whenever you start your computer and load Windows.  In most cases, this is the desired behavior.  However in some instances, malicious programs such as spyware, Trojans, worms, viruses load in this manner and hijack your computer. It is important to stay vigilant and periodically monitor your startup registry keys and delete […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/10511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=10511"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/10511\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=10511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=10511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=10511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}