The WMIC startup command can be used to check the programs that will be run when a user logs into a Microsoft Windows system.
C:\>wmic startup /? STARTUP - Management of commands that run automatically when users log onto the computer system. HINT: BNF for Alias usage. (<alias> [WMIObject] | <alias> [<path where>] | [<alias>] <path where>) [<verb c lause>]. USAGE: STARTUP ASSOC [<format specifier>] STARTUP CREATE <assign list> STARTUP DELETE STARTUP GET [<property list>] [<get switches>] STARTUP LIST [<list format>] [<list switches>] C:\>
The list parameter can be specified to obtain a list
of programs that will be run upon logon.
C:\>wmic startup list /? Property list operations. USAGE: LIST [<list format>] [<list switches>] The following LIST formats are available: BRIEF - Command, User, Caption FULL - Command, Description, SettingID, User, Location, Cap tion INSTANCE - Caption SYSTEM - __CLASS, __DERIVATION, __DYNASTY, __GENUS, __NAMESPA CE, __PATH, __PROPERTY_COUNT, __RELPATH, __SERVER, __SUPERCLASS The following LIST switches are available: /TRANSLATE:<table name> - Translate output via values from <table name>. /EVERY:<interval> [/REPEAT:<repeat count>] - Returns value every (X interval) se conds, If /REPEAT specified the command is executed <repeat count> times. /FORMAT:<format specifier> - Keyword/XSL filename to process the XML results. NOTE: Order of /TRANSLATE and /FORMAT switches influences the appearance of outp ut. Case1: If /TRANSLATE precedes /FORMAT, then translation of results will be follo wed by formatting. Case2: If /TRANSLATE succeeds /FORMAT, then translation of the formatted results will be done. C:\>
E.g., if I only want a brief listing, i.e, just the Command, User, and
Caption values, I can use wmic startup list brief. If I just
want the "caption", I can use wmic startup list instance
as shown below:
C:\>wmic startup list instance Caption Akamai NetSession Interface SpybotPostWindows10UpgradeReInstall Intuit Data Protect QuickBooks Update Agent QuickBooks_Standard_21 IgfxTray HotKeysCmds Persistence AdAwareTray C:\>
If I don't want to use any of the predefined list formats like brief,
full, instance, etc., I can use wmic startup get followed
by the values I'm interested in. E.g., if I wanted the caption
and command values, I could use the command shown below:
C:\>wmic startup get caption, command Caption Command Akamai NetSession Interface "C:\Users\Pamela\AppData\Local\Akamai\netsession_win.exe" SpybotPostWindows10UpgradeReInstall "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe" Intuit Data Protect C:\PROGRA~2\COMMON~1\Intuit\DATAPR~1\INTUIT~1.EXE /Startup QuickBooks Update Agent C:\PROGRA~2\COMMON~1\Intuit\QUICKB~1\QBUpdate\qbupdate.exe QuickBooks_Standard_21 C:\PROGRA~2\Intuit\QUICKB~1\QBW32.EXE -silent IgfxTray C:\Windows\system32\igfxtray.exe HotKeysCmds C:\Windows\system32\hkcmd.exe Persistence C:\Windows\system32\igfxpers.exe AdAwareTray "C:\Program Files\Security\Ad-Aware\Ad-Aware Antivirus\11.8.586.8535\AdAwareTray.exe"
