Monitor Startup Programs

[Marcus Tettmar]

A script to retrieve a list of startup programs and watch for changes. Alerts the user and sends info by email if a change has occured. Ideal for detecting spyware or malware.


//This script retrieves a list of applications and services that are set to run
//when Windows starts up. It is a useful defence against potential spyware/malware.
//This script keeps a log of startup programs and will alert the user if a change has
//occured and email the SysAdmin. Schedule the macro to run once a day.

//Modify these three lines
Let>logfile=c:\logs\startups.txt
Let>mail_server=mail.domain.com
Let>recipient=[email protected]

VBSTART
Function GetStartupProgs
On Error Resume Next
Dim s
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_StartupCommand",,48)
s = ""
For Each objItem in colItems
s = s + "________________" & vbCRLF
s = s + "Name: " & objItem.Caption & vbCRLF
s = s + "Command: " & objItem.Command & vbCRLF
s = s + "Description: " & objItem.Description & vbCRLF
s = s + "Location: " & objItem.Location & vbCRLF
s = s + "Name: " & objItem.Name & vbCRLF
s = s + "SettingID: " & objItem.SettingID & vbCRLF
s = s + "User: " & objItem.User & vbCRLF
Next
GetStartupProgs = s
End Function
VBEND

//get start up command details
VBEval>GetStartupProgs,progs

//If a log already exists, compare it.
IfFileExists>logfile
//a log exists, compare it to this one
ReadFile>logfile,oldprogs
Let>comp_progs=%progs%%CRLF%

//if there's a change, alert user
if>oldprogscomp_progs
MessageModal>Startup Config Has Changed, Emailing SysAdmin
//email system admin
SMTPSendMail>recipient,mail_server,logs@%mail_server%,logs,Startup Changed on %COMPUTER_NAME%\%USER_NAME%,progs,
endif

//delete the old copy
DeleteFile>logfile
endif

//write to logfile
WriteLn>logfile,r,progs