Jaa


How to Access or Modify StartUp Items in the Window Registry

Some applications launch themselves whenever you start your computer and load Windows. In most cases, this is the desired behavior. However in some instances, malicious programs such as spyware, Trojans, worms, viruses load in this manner and hijack your computer. It is important to stay vigilant and periodically monitor your startup registry keys and delete keys that are unwarranted.

REGEDIT.EXE is the program you run to enter into the windows registry

You can find ALOT of the startup programs which are running in the background in your Windows Registry. For those who enjoy managing Windows via the command line, you don’t need to launch a GUI application such as REGEDIT and use a pesky mouse. Monad offers a portal to the Registry world via a cmdlet provider called Registry Provider.

So, how do we access the Registry Provider? Think of the provider as very similar to how you would navigate a File System. The registry keys are treated equivalent to folders in the File System and registry values are treated equivalent to files in the File System.

So let’s explore a bit by starting MSH and then set the location to the root of the Registry Provider.

MSH C:\monad> cd Registry::

MSH Microsoft.Management.Automation.Core\Registry::> dir

Hive:

SKC

VC

Name

Property

5

0

HKEY_LOCAL_MACHINE

{}

15

0

HKEY_CURRENT_USER

{}

535

1

HKEY_CLASSES_ROOT

{EditFlags}

0

2

HKEY_CURRENT_CONFIG

{GLOBAL, COSTLY}

10

0

HKEY_USERS

{}

The following are the two most common registry keys which load applications at start up.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
– These programs automatically start when any user is logged in. It is used for all users on this computer

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
– The programs here automatically start when the current user logs in. It is used only for current logoned user.

So let’s navigate to the HKEY_LOCAL_MACHINE folder.

MSH Microsoft.Management.Automation.Core\Registry::> cd HKLM:\

-OR-

MSH Microsoft.Management.Automation.Core\Registry::> cd HKey_Local_Machine

Note: Don’t worry about case sensitivity, since Monad is not a case sensitive language

Both operations will lead you to same location.

MSH HLKM:\> cd Software\Microsoft\Windows\CurrentVersion

Note: Don’t worry about case sensitivity, since Monad is not a case sensitive language

Now we want to view what is currently registered to startup on every Windows boot up.

MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> dir

   Hive: Microsoft.Management.Automation.Core\Registry::HKEY_LOCAL_MACHINE\SOFT

WARE\Microsoft\Windows\CurrentVersion\Run

SKC

VC

Name

Property

3

0

OptionalComponents

{}

So how come we are not seeing the applications that start up when Windows is loaded. That is because the registry values are treated as properties on an existing item or registry key. To view the applications loaded at startup, type the following command:

MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> get-itemproperty .

This will list all the registry values under this key. The same steps can be repeated for the HKey_Current_User folder.

 

Once you identify any unwanted registry values, then you can perform a delete operation in Monad via the remove-itemproperty cmdlet.

 

MSH HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> remove-itemproperty -path . –property [PropertyName]

Note: Be wary of using wildcard characters since you can accidentally delete all item properties by specifying “*” in the property parameter.

-Satish

Comments

  • Anonymous
    March 08, 2006
    Probably not a surprise to you but I like the new cmdlet names *-ItemProperty.  May I suggest that the default alias for Remove-ItemProperty be "rip"?  :-)
  • Anonymous
    March 08, 2006
    Get-ItemProperty and Remove-ItemProperty is not in Monad beta 3.1
  • Anonymous
    March 09, 2006
    > Get-ItemProperty and Remove-ItemProperty is not in Monad beta 3.1

    Right - use Get-Property and Remove-Property for now.

    Jeffrey Snover
  • Anonymous
    March 26, 2006
    Hmmm, what about that Registry:? I got only
    Alias
    C
    cert
    D
    Env
    Function
    HKCU
    HKLM
    Variable
    drives available... And I think that having (by default) Registry: path would be really great idea!
  • Anonymous
    March 27, 2006
    You can access any provider using a provider-qualified path without having a drive mounted.  For instance, 'set-location Registry::' (note the two colons) will move you into the route of the Registry provider.  If you do a 'get-childitem' from there you will see a list of the hives.  The drives are just a shortcut to the hives.  So it's not really necessary to have a Registry drive.

    Jeff Jones
  • Anonymous
    July 09, 2008
    PingBack from http://malaki.supervidsdigest.info/removestartupitemsfromregistry.html