HOWTO: Get a List of Startup Programs on Domain Computers


Every time users logon to workstation, Windows executes a sequence of programs defined in user or computer settings. Having a list of such startup programs for the entire network is a first good step towards diagnosing potential virus attacks (many viruses install themselves as startup programs) as well as diagnosing computer startup and user logon delays (startup programs can slow down startup and logon performance). This article explains some quick ways to pull such list remotely across the entire network.



Manually:

1. Run WMI query in ROOT\CIMV2 namespace:

   - Start WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_StartupCommand

2. Run wmic command-line interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command prompt type: /node:RemoteComputerName startup

3. Run Powershell script:

   - thru WMI object: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_StartupCommand -Computer RemoteComputerName

4. Select specific columns:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location, PSComputerName

5. Sort results:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location, PSComputerName | Sort-Object Name

6. Filter results:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location, PSComputerName | Where-Object -FilterScript {$_.Name -like "OneDrive"}

7. Save to CSV file:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_StartupCommand -Computer RemoteComputerName | Select-Object Name, Command, Location, PSComputerName | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. Query multiple computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_StartupCommand -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_StartupCommand -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for free:

 

Step 2 - Type your question in plain English:

Step 3 - Set filters, if necessary:

Step 4 - See results from all endpoints in seconds:

Endpoint NameUserNameCommand
mac.widgets.localwidgets\MarkSkypeC:\Program Files\Skype\Phone\
Skype.exe
fred.widgets.localwidgets\FredGoogleDriveSyncC:\Program Files\Google\Drive\
googledrivesync.exe
ray.widgets.localwidgets\RayOneDriveC:\Program Files\Microsoft OneDrive\
OneDrive.exe

Do not have time to write scripts? Check out Action1 Endpoint Security Platform. Ask questions in plain English such as "list of installed software" or "all running processes".
Get answers instantly from live systems or subscribe to real-time alerts: