{"id":50183,"date":"2025-07-14T03:43:07","date_gmt":"2025-07-14T03:43:07","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=50183"},"modified":"2025-07-14T03:43:07","modified_gmt":"2025-07-14T03:43:07","slug":"to-check-if-your-windows-machine-has-any-scripts-or-programs-running-at-boot-startup","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/to-check-if-your-windows-machine-has-any-scripts-or-programs-running-at-boot-startup\/","title":{"rendered":"To check if your Windows machine has any scripts (or programs) running at boot\/startup"},"content":{"rendered":"\n<p>To check if your Windows machine has <strong>any scripts (or programs) running at boot\/startup<\/strong>, you need to look in several locations. Windows supports multiple mechanisms for startup scripts, both for <strong>user logins<\/strong> and for <strong>system boot<\/strong>. Here\u2019s a complete, step-by-step guide to check all major places.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. Task Manager \u2013 Startup Tab<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Right-click the Taskbar<\/strong> \u2192 choose <strong>Task Manager<\/strong> (or press <code>Ctrl + Shift + Esc<\/code>).<\/li>\n\n\n\n<li>Go to the <strong>Startup<\/strong> tab.<\/li>\n\n\n\n<li>Here you\u2019ll see all enabled\/disabled startup apps for your user account.<\/li>\n\n\n\n<li>This won\u2019t show Group Policy\/system scripts, but it\u2019s a quick check for user-level startup items.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Startup Folders<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User Startup folder:<\/strong><br><code>C:\\Users\\&lt;YourUsername>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup<\/code><\/li>\n\n\n\n<li><strong>All Users Startup folder:<\/strong><br><code>C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup<\/code><\/li>\n\n\n\n<li>Any scripts (<code>.bat<\/code>, <code>.cmd<\/code>, <code>.vbs<\/code>, <code>.ps1<\/code>, shortcuts, etc.) here will run at user login.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Windows Registry \u2013 Run Keys<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Press <code>Win + R<\/code>, type <code>regedit<\/code>, and open the Registry Editor.<\/li>\n\n\n\n<li>Check these keys: <strong>User-specific:<\/strong> <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce<\/code> <strong>System-wide:<\/strong> <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce<\/code><\/li>\n\n\n\n<li>Any entries here pointing to scripts or executables will run at user login or system startup.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Group Policy Startup Scripts<\/strong><\/h2>\n\n\n\n<p>For <strong>corporate or domain-joined PCs<\/strong> (less common at home):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Press <code>Win + R<\/code>, type <code>gpedit.msc<\/code>, and open the <strong>Local Group Policy Editor<\/strong>.<\/li>\n\n\n\n<li>Go to:<br><code>Computer Configuration \u2192 Windows Settings \u2192 Scripts (Startup\/Shutdown)<\/code><\/li>\n\n\n\n<li>Check for entries under <strong>Startup<\/strong> (runs at boot for all users) and <strong>Shutdown<\/strong>.<\/li>\n\n\n\n<li>Also check:<br><code>User Configuration \u2192 Windows Settings \u2192 Scripts (Logon\/Logoff)<\/code><\/li>\n<\/ul>\n\n\n\n<p><strong>Note:<\/strong> On Home editions, <code>gpedit.msc<\/code> may not be available, but you can still check the folders:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\Startup<\/code><\/li>\n\n\n\n<li><code>C:\\Windows\\System32\\GroupPolicy\\User\\Scripts\\Logon<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. Task Scheduler<\/strong><\/h2>\n\n\n\n<p>Many scripts and programs are set to run at boot\/logon via <strong>Task Scheduler<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open <strong>Task Scheduler<\/strong> (<code>taskschd.msc<\/code>).<\/li>\n\n\n\n<li>In the left pane, expand <strong>Task Scheduler Library<\/strong>.<\/li>\n\n\n\n<li>Look through:\n<ul class=\"wp-block-list\">\n<li><strong>Task Scheduler Library<\/strong><\/li>\n\n\n\n<li><strong>Microsoft \u2192 Windows<\/strong> (and all subfolders)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Look for tasks with <strong>Triggers<\/strong> set to \u201cAt startup\u201d or \u201cAt log on\u201d.<br>The <strong>Actions<\/strong> tab will show the script or program that runs.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>6. Services<\/strong><\/h2>\n\n\n\n<p>Some scripts may be run as <strong>Windows Services<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open <strong>Services<\/strong> (<code>services.msc<\/code>).<\/li>\n\n\n\n<li>Look for any custom or suspicious services, especially with &#8220;Manual&#8221; or &#8220;Automatic&#8221; startup.<\/li>\n\n\n\n<li>Check the <strong>Path to executable<\/strong> for each service\u2014sometimes it points to a script.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>7. Autoruns (Sysinternals Tool \u2013 Advanced)<\/strong><\/h2>\n\n\n\n<p>For a <strong>comprehensive view<\/strong>, use Microsoft\u2019s <strong>Autoruns<\/strong> tool (free, official):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download from <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/autoruns\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/autoruns<\/a><\/li>\n\n\n\n<li>Run it as Administrator.<\/li>\n\n\n\n<li>It lists <strong>everything<\/strong> that can run at startup (including obscure places).<\/li>\n\n\n\n<li>You can search\/filter for scripts (<code>.bat<\/code>, <code>.vbs<\/code>, <code>.ps1<\/code>, etc.).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Summary Table of Places to Check<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Location<\/th><th>Method<\/th><th>Script Types Supported<\/th><\/tr><\/thead><tbody><tr><td>Task Manager \u2192 Startup Tab<\/td><td>GUI<\/td><td>Executables, script shortcuts<\/td><\/tr><tr><td>Startup Folders<\/td><td>File Explorer<\/td><td>Shortcuts, .bat, .cmd, .vbs, .ps1<\/td><\/tr><tr><td>Registry Run\/RunOnce Keys<\/td><td>regedit<\/td><td>Any file path<\/td><\/tr><tr><td>Group Policy Scripts<\/td><td>gpedit.msc<\/td><td>.bat, .cmd, .ps1, etc.<\/td><\/tr><tr><td>Task Scheduler<\/td><td>taskschd.msc<\/td><td>Any script or program<\/td><\/tr><tr><td>Services<\/td><td>services.msc<\/td><td>Executables, some scripts<\/td><\/tr><tr><td>Autoruns (Sysinternals)<\/td><td>Autoruns.exe<\/td><td>All<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Tips<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you find an unknown or suspicious script, search its name\/path online to verify its legitimacy.<\/li>\n\n\n\n<li>Always be careful before disabling\/deleting startup entries, especially on work machines.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Here\u2019s a <strong>PowerShell script<\/strong> that will enumerate the <strong>most common startup locations<\/strong> and list out any startup items\u2014including scripts (<code>.bat<\/code>, <code>.cmd<\/code>, <code>.ps1<\/code>, <code>.vbs<\/code>), executables, and shortcuts.<br>This script checks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Startup folders<\/strong> (user and all users)<\/li>\n\n\n\n<li><strong>Registry Run\/RunOnce keys<\/strong> (user and system)<\/li>\n\n\n\n<li><strong>Scheduled Tasks with \u201cAt startup\u201d or \u201cAt logon\u201d triggers<\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>PowerShell Script: List All Windows Startup Items<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">Write-Host <span class=\"hljs-string\">\"====== WINDOWS STARTUP ITEMS ======\"<\/span> -ForegroundColor Cyan\n\n<span class=\"hljs-comment\"># 1. Startup Folders<\/span>\n$startupFolders = @(\n    <span class=\"hljs-string\">\"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"<\/span>,\n    <span class=\"hljs-string\">\"$env:PROGRAMDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"<\/span>\n)\n\nWrite-Host <span class=\"hljs-string\">\"`n-- Startup Folders --\"<\/span> -ForegroundColor Yellow\n<span class=\"hljs-keyword\">foreach<\/span> ($folder in $startupFolders) {\n    <span class=\"hljs-keyword\">if<\/span> (Test-Path $folder) {\n        Get-ChildItem -Path $folder -File | <span class=\"hljs-keyword\">ForEach<\/span>-Object {\n            Write-Host <span class=\"hljs-string\">\"$($folder)\\$($_.Name)\"<\/span>\n        }\n    }\n}\n\n<span class=\"hljs-comment\"># 2. Registry Run\/RunOnce Keys<\/span>\n$runKeys = @(\n    <span class=\"hljs-string\">\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"<\/span>,\n    <span class=\"hljs-string\">\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"<\/span>,\n    <span class=\"hljs-string\">\"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"<\/span>,\n    <span class=\"hljs-string\">\"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"<\/span>\n)\n\nWrite-Host <span class=\"hljs-string\">\"`n-- Registry Run\/RunOnce Keys --\"<\/span> -ForegroundColor Yellow\n<span class=\"hljs-keyword\">foreach<\/span> ($key in $runKeys) {\n    <span class=\"hljs-keyword\">if<\/span> (Test-Path $key) {\n        Get-ItemProperty -Path $key | <span class=\"hljs-keyword\">ForEach<\/span>-Object {\n            $_.PSObject.Properties | Where-Object { $_.Name -ne <span class=\"hljs-string\">\"PSPath\"<\/span> -<span class=\"hljs-keyword\">and<\/span> $_.Name -ne <span class=\"hljs-string\">\"PSParentPath\"<\/span> -<span class=\"hljs-keyword\">and<\/span> $_.Name -ne <span class=\"hljs-string\">\"PSChildName\"<\/span> -<span class=\"hljs-keyword\">and<\/span> $_.Name -ne <span class=\"hljs-string\">\"PSDrive\"<\/span> -<span class=\"hljs-keyword\">and<\/span> $_.Name -ne <span class=\"hljs-string\">\"PSProvider\"<\/span> } | <span class=\"hljs-keyword\">ForEach<\/span>-Object {\n                Write-Host <span class=\"hljs-string\">\"$key -&gt; $($_.Name): $($_.Value)\"<\/span>\n            }\n        }\n    }\n}\n\n<span class=\"hljs-comment\"># 3. Scheduled Tasks: At startup \/ At logon<\/span>\nWrite-Host <span class=\"hljs-string\">\"`n-- Scheduled Tasks (At startup\/logon) --\"<\/span> -ForegroundColor Yellow\n$tasks = Get-ScheduledTask | Where-Object {\n    $_.Triggers | Where-Object { $_.TriggerType -eq <span class=\"hljs-string\">'AtStartup'<\/span> -<span class=\"hljs-keyword\">or<\/span> $_.TriggerType -eq <span class=\"hljs-string\">'AtLogon'<\/span> }\n}\n<span class=\"hljs-keyword\">foreach<\/span> ($task in $tasks) {\n    <span class=\"hljs-keyword\">foreach<\/span> ($action in $task.Actions) {\n        Write-Host <span class=\"hljs-string\">\"Task: $($task.TaskName) -&gt; $($action.Execute) $($action.Arguments)\"<\/span>\n    }\n}\n\nWrite-Host <span class=\"hljs-string\">\"`n====== END OF LIST ======\"<\/span> -ForegroundColor Cyan\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How to Run<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Open PowerShell as Administrator<\/strong> (for full results).<\/li>\n\n\n\n<li><strong>Copy and paste<\/strong> the above script into the console (or save as <code>List-StartupItems.ps1<\/code> and run it).<\/li>\n\n\n\n<li><strong>Review the output<\/strong>\u2014it will print all startup scripts and programs.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What Does This Script Cover?<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Items in <strong>Startup folders<\/strong> (user &amp; all users)<\/li>\n\n\n\n<li>Entries in <strong>Registry Run\/RunOnce<\/strong> keys (user &amp; system)<\/li>\n\n\n\n<li><strong>Scheduled Tasks<\/strong> with triggers set to <code>At startup<\/code> or <code>At logon<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Extra: To Export to File<\/strong><\/h3>\n\n\n\n<p>If you want to save the output:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">.\\<span class=\"hljs-keyword\">List<\/span>-StartupItems.ps1 | Out-File <span class=\"hljs-string\">\"startup-items.txt\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Want to Check for Group Policy\/Service scripts as well?<\/strong><\/h3>\n\n\n\n<p>Let me know! I can expand the script for advanced\/enterprise scenarios.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To check if your Windows machine has any scripts (or programs) running at boot\/startup, you need to look in several locations. Windows supports multiple mechanisms for startup scripts, both for&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-50183","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/50183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=50183"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/50183\/revisions"}],"predecessor-version":[{"id":50184,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/50183\/revisions\/50184"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=50183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=50183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=50183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}