Some applications launch themselves whenever you start your computer and load Windows.  In most cases, this is the desired behavior.  However in some instances, malicious programs such as spyware, Trojans, worms, viruses load in this manner and hijack your computer. It is important to stay vigilant and periodically monitor your startup registry keys and delete keys that are unwarranted.

 

REGEDIT.EXE is the program you run to enter into the windows registry

You can find ALOT of the startup programs which are running in the background in your Windows Registry.  For those who enjoy managing Windows via the command line, you don’t need to launch a GUI application such as REGEDIT and use a pesky mouse. Monad offers a portal to the Registry world via a cmdlet provider called Registry Provider.

 

So, how do we access the Registry Provider? Think of the provider as very similar to how you would navigate a File System.  The registry keys are treated equivalent to folders in the File System and registry values are treated equivalent to files in the File System.

 

So let’s explore a bit by starting MSH and then set the location to the root of the Registry Provider.

 

MSH C:\monad> cd Registry::

MSH Microsoft.Management.Automation.Core\Registry::> dir

Hive:

SKC

VC

Name

Property

5

0

HKEY_LOCAL_MACHINE

{}

15

0

HKEY_CURRENT_USER             

{}

535

1

HKEY_CLASSES_ROOT

{EditFlags}

0

2

HKEY_CURRENT_CONFIG           

{GLOBAL, COSTLY}

 

10

0

HKEY_USERS

{}

The following are the two most common registry keys which load applications at start up.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
– These programs automatically start when any user is logged in. It is used for all users on this computer

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
– The programs here automatically start when the current user logs in. It is used only for current logoned user.

So let’s navigate to the HKEY_LOCAL_MACHINE folder. 

MSH Microsoft.Management.Automation.Core\Registry::> cd HKLM:\

-OR-

MSH Microsoft.Management.Automation.Core\Registry::> cd HKey_Local_Machine

Note: Don’t worry about case sensitivity, since Monad is not a case sensitive language

 

Both operations will lead you to same location.

 

MSH HLKM:\> cd Software\Microsoft\Windows\CurrentVersion

Note: Don’t worry about case sensitivity, since Monad is not a case sensitive language

 

Now we want to view what is currently registered to startup on every Windows boot up.

 

MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> dir

 

 

   Hive: Microsoft.Management.Automation.Core\Registry::HKEY_LOCAL_MACHINE\SOFT

WARE\Microsoft\Windows\CurrentVersion\Run

SKC

VC

Name

Property

3

0

OptionalComponents

{}

 

So how come we are not seeing the applications that start up when Windows is loaded.  That is because the registry values are treated as properties on an existing item or registry key.  To view the applications loaded at startup, type the following command:

 

MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> get-itemproperty .

 

This will list all the registry values under this key.  The same steps can be repeated for the HKey_Current_User folder.

 

Once you identify any unwanted registry values, then you can perform a delete operation in Monad via the remove-itemproperty cmdlet.

 

MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> remove-itemproperty -path . –property [PropertyName]

Note: Be wary of using wildcard characters since you can accidentally delete all item properties by specifying “*” in the property parameter.

 

-Satish