# PCS Toolkit - Startup Audit # Lists all auto-start programs from multiple locations $timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $outputFile = "$env:USERPROFILE\Desktop\StartupAudit_$timestamp.txt" function Log($msg) { Write-Host $msg Add-Content $outputFile $msg } Log "========================================" Log " PCS Toolkit - Startup Audit" Log "========================================" Log "Generated: $(Get-Date)" Log "Computer: $env:COMPUTERNAME" Log "" Log "=== REGISTRY: HKLM Run ===" Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -EA SilentlyContinue | Get-Member -MemberType NoteProperty | Where-Object { $_.Name -notmatch '^PS' } | ForEach-Object { $val = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run").$($_.Name) Log " $($_.Name): $val" } Log "" Log "=== REGISTRY: HKCU Run ===" Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -EA SilentlyContinue | Get-Member -MemberType NoteProperty | Where-Object { $_.Name -notmatch '^PS' } | ForEach-Object { $val = (Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run").$($_.Name) Log " $($_.Name): $val" } Log "" Log "=== STARTUP FOLDERS ===" $startupPaths = @( "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup", "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" ) foreach ($path in $startupPaths) { Log "Path: $path" if (Test-Path $path) { Get-ChildItem $path | ForEach-Object { Log " - $($_.Name)" } } else { Log " (not found)" } } Log "" Log "=== SCHEDULED TASKS (Boot/Logon triggers) ===" Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } | ForEach-Object { $task = $_ $triggers = $task.Triggers | Where-Object { $_.CimClass.CimClassName -match 'Boot|Logon' } if ($triggers) { Log " $($task.TaskPath)$($task.TaskName)" Log " Action: $($task.Actions.Execute) $($task.Actions.Arguments)" } } Log "" Log "=== SERVICES (Auto-Start) ===" Get-Service | Where-Object { $_.StartType -eq 'Automatic' -and $_.Status -eq 'Running' } | Sort-Object DisplayName | ForEach-Object { Log " $($_.Name) - $($_.DisplayName)" } Log "" Log "========================================" Log "AUDIT COMPLETE" Log "========================================" explorer.exe "/select,$outputFile" Read-Host "Press Enter to exit"