Identify Programs Set To Auto Run At Startup
Query
// Use Case: Identifying programs set to auto-run at startup for system analysis and security auditing.
WindowsRegistry('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run')
| project RegistryKey, ValueName, ValueType, ValueDataExplanation
This query is designed to help identify programs that are configured to automatically run when a Windows system starts up. It looks into a specific part of the Windows Registry, which is a database that stores settings and options for the operating system. The query specifically examines the "Run" section under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" in the registry.
The query retrieves and displays four pieces of information for each entry found in this section:
- RegistryKey: The path in the registry where the entry is located.
- ValueName: The name of the entry, which typically represents the program or service.
- ValueType: The type of data stored in the entry (e.g., string, binary).
- ValueData: The actual data or command that is executed at startup.
This information is useful for system analysis and security auditing, as it helps identify which programs are set to launch automatically when the computer boots up, potentially highlighting unwanted or malicious software.
Details

Ugur Koc
Released: December 13, 2024
Tables
Keywords
Operators