HOWTO: Get a List of Startup Programs on a Remote Computer


Every time users logon to workstation, Windows executes a sequence of programs defined in user or computer settings. Having a list of such startup programs for the entire network is a first good step towards diagnosing potential virus attacks (many viruses install themselves as startup programs) as well as diagnosing computer startup and user logon delays (startup programs can slow down startup and logon performance). This article explains some quick ways to pull such list remotely across the entire network.



Manually:

1. Run WMI query in ROOT\CIMV2 namespace:

   - Start WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_StartupCommand

2. Run wmic command-line interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command prompt type: /node:RemoteComputerName startup

3. Run Powershell script:

   - thru WMI object: Get-WmiObject -Class Win32_StartupCommand -Computer RemoteComputerName

4. Select specific columns:

   - run: Get-WmiObject -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location

5. Sort results:

   - run: Get-WmiObject -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location | Sort-Object Name

6. Filter results:

   - run: Get-WmiObject -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location | Where-Object -FilterScript {$_.Name -like "OneDrive"}

7. Save to CSV file:

   - run: Get-WmiObject -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. Query multiple computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Class Win32_StartupCommand -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Class Win32_StartupCommand -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for free:

Step 2 - Type your question in plain English:

Step 3 - Set filters, if necessary:

Step 4 - See results from all endpoints in seconds:

Endpoint NameUserNameCommand
mac.widgets.localwidgets\MarkSkypeC:\Program Files\Skype\Phone\
Skype.exe
fred.widgets.localwidgets\FredGoogleDriveSyncC:\Program Files\Google\Drive\
googledrivesync.exe
ray.widgets.localwidgets\RayOneDriveC:\Program Files\Microsoft OneDrive\
OneDrive.exe

Do not have time to write scripts? Check out Action1 Endpoint Security Platform.
Ask questions in plain English such as "list of installed software" or "all running processes". Get answers instantly from live systems: