{"id":251511,"date":"2024-05-08T12:24:26","date_gmt":"2024-05-08T12:24:26","guid":{"rendered":"https:\/\/www.ninjaone.com\/?post_type=script_hub&#038;p=251511"},"modified":"2024-05-08T12:24:26","modified_gmt":"2024-05-08T12:24:26","slug":"script-powershell-di-verifica-con-autorunsc","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/it\/script-hub\/script-powershell-di-verifica-con-autorunsc\/","title":{"rendered":"Come diventare maestri nella sicurezza delle startup: Guida allo script PowerShell di verifica con Autorunsc"},"content":{"rendered":"<h2>Punti chiave<\/h2>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Verifica completa<\/strong>: Lo script fornisce una completa verifica degli elementi di avvio, migliorando la sicurezza e le prestazioni del sistema.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong>Automazione ed efficienza<\/strong>: Automatizza il processo di download ed esecuzione di Autorunsc, risparmiando tempo rispetto ai metodi manuali.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\"><strong>Parametri personalizzabili<\/strong>: Offre la flessibilit\u00e0 di rivolgersi a voci di esecuzione automatica specifiche, come servizi, attivit\u00e0 pianificate o applicazioni di avvio.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"4\" data-aria-level=\"1\"><strong>Facilit\u00e0 di reportistica<\/strong>: I risultati vengono inviati a un registro delle attivit\u00e0 e, come opzione, a un campo personalizzato per facilitare la documentazione e la valutazione.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"5\" data-aria-level=\"1\"><strong>Necessit\u00e0 di diritti di amministrazione<\/strong>: Richiede i privilegi di amministrazione per ottenere tutte le funzionalit\u00e0, in particolare per la scrittura dei campi personalizzati.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"6\" data-aria-level=\"1\"><strong>Compatibilit\u00e0<\/strong>: Progettato per Windows 10 e Server 2012 e versioni successive, garantisce un&#8217;ampia applicabilit\u00e0 negli ambienti IT moderni.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"7\" data-aria-level=\"1\"><strong>Identificazione del malware<\/strong>: Aiuta a identificare le voci di avvio automatico sospette, un passo fondamentale per il rilevamento e la prevenzione del malware.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"8\" data-aria-level=\"1\"><strong>Si raccomandano verifiche regolari<\/strong>: Si consiglia di utilizzare regolarmente lo script PowerShell di verifica con Autorunsc per mantenere l&#8217;integrit\u00e0 e la sicurezza del sistema.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"9\" data-aria-level=\"1\"><strong>Analisi accurata dei risultati<\/strong>: Sottolinea la necessit\u00e0 di un attento esame dei risultati delle verifiche per evitare falsi positivi e garantire l&#8217;affidabilit\u00e0 del sistema.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"10\" data-aria-level=\"1\"><strong>Integrazione con gli strumenti di gestione IT<\/strong>: Evidenzia come l&#8217;integrazione con strumenti come NinjaOne possa migliorare le strategie di gestione e sicurezza IT.<\/li>\n<\/ul>\n<p>La comprensione delle complessit\u00e0 dei sistemi IT, in particolare nell&#8217;ambito della sicurezza e della gestione delle startup, \u00e8 fondamentale per i professionisti IT e per i <a href=\"https:\/\/www.ninjaone.com\/it\/cos-e-un-msp\/\">fornitori di servizi gestiti (MSP)<\/a>. La verifica e la gestione efficiente delle voci di esecuzione automatica \u00e8 una parte essenziale del mantenimento dell&#8217;integrit\u00e0 e della sicurezza del sistema. Questo post approfondisce uno script PowerShell che utilizza Autorunsc, uno strumento di Sysinternals, per condurre verifiche complete dell&#8217;avvio.<\/p>\n<h2>Background<\/h2>\n<p>Lo script in questione \u00e8 progettato per eseguire Autorunsc con vari parametri definiti dall&#8217;utente, inviando i risultati a un registro delle attivit\u00e0 e potenzialmente a un campo personalizzato. Autorunsc \u00e8 un famoso strumento di Sysinternals, sviluppato da Mark Russinovich. Fornisce una visione dettagliata di tutti i programmi e gli script configurati per essere eseguiti all&#8217;avvio del sistema o all&#8217;accesso dell&#8217;utente.<\/p>\n<p>Per i professionisti IT e gli MSP, questo script \u00e8 una risorsa potente che consente di identificare rapidamente gli elementi di avvio potenzialmente dannosi o non necessari, migliorando le prestazioni e la sicurezza del sistema.<\/p>\n<h2>Lo script PowerShell di verifica con Autorunsc:<\/h2>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\">#Requires -Version 4\r\n\r\n&lt;#\r\n.SYNOPSIS\r\n    Runs Autorunsc with your selected options and outputs the results to the activity log and optionally a WYSIWYG custom field. Please note that there is a limit to the number of results that can be set in Custom Fields or viewed in the Activity Log.\r\n.DESCRIPTION\r\n    Runs Autorunsc with your selected options and outputs the results to the activity log and optionally a WYSIWYG custom field. Please note that there is a limit to the number of results that can be set in Custom Fields or viewed in the Activity Log.\r\n.EXAMPLE\r\n    (No Parameters)\r\n    URL Given, Downloading the file...\r\n    Download Attempt 1\r\n    HKCU:\\SOFTWARE\\Sysinternals\\AutoRuns\\EulaAccepted changed from 1 to 1\r\n\r\n    Sysinternals Autoruns v14.10 - Autostart program viewer\r\n    Copyright (C) 2002-2023 Mark Russinovich\r\n    Sysinternals - www.sysinternals.com\r\n\r\n    WARNING: Script must be elevated in order to write to custom field.\r\n    \r\n    Entry          : C:\\Windows\\system32\\userinit.exe\r\n    Entry Location : HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\r\n    Image Path     : c:\\windows\\system32\\userinit.exe\r\n    Signer         : (Verified) Microsoft Windows\r\n    MD5            : 9C4C281156040CF01EA35D759092F540\r\n\r\n    Entry          : cmd.exe\r\n    Entry Location : HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\r\n    Image Path     : c:\\windows\\system32\\cmd.exe\r\n    Signer         : (Verified) Microsoft Windows\r\n    MD5            : 8A2122E8162DBEF04694B9C3E0B6CDEE\r\n\r\nPARAMETER: -CustomField \"ReplaceWithAMultilineCustomField\"\r\n    The name of the multiline custom field you would like to save the results to.\r\n\r\nPARAMETER: -Startup\r\n    Applications or scripts configured to run automatically after a user logs into their account. This is the default option for Autoruns. \r\n    E.g. Applications in the 'Startup' folder.\r\n\r\nPARAMETER: -Boot\r\n    Programs or commands that are set to execute during the system's boot-up sequence before a user logs in.\r\n\r\nPARAMETER: -WinLogon\r\n    Items that are configured to run during the Windows logon process. Often these items are critical to the logon UI.\r\n\r\nPARAMETER: -AppInit\r\n    DLLs that are automatically loaded by every process that calls the User32.dll file (anything with a GUI).\r\n\r\nPARAMETER: -Explorer\r\n    Plugins or extensions that integrate into the Windows Explorer shell.\r\n\r\nPARAMETER: -Sidebar\r\n    Mini applications or gadgets that load into the desktop sidebar in earlier versions of Windows (introduced in Windows Vista).\r\n\r\nPARAMETER: -ImageHijacks\r\n    Registry modifications that redirect the execution of specific executable files to a different program.\r\n\r\nPARAMETER: -IEAddons\r\n    Browser extensions or toolbars that Internet Explorer will load automatically when it starts.\r\n\r\nPARAMETER: -KnownDLLs\r\n    Crucial system DLLs that Windows will load into memory at startup.\r\n\r\nPARAMETER: -WMIentries\r\n    Entries related to WMI scripts or providers that are set to execute automatically.\r\n\r\nPARAMETER: -WinSockProtocols\r\n    Modules or services meant to load up with the Windows network stack.\r\n\r\nPARAMETER: -Codecs\r\n    Software components meant to be used for encoding or decoding digital media streams (often set to run at system startup).\r\n\r\nPARAMETER: -PrinterMonitor\r\n    DLL's associated with printer drivers.\r\n\r\nPARAMETER: -LSAProviders\r\n    Plugins that integrate with the Local Security Authority subsystem.\r\n\r\nPARAMETER: -Services\r\n    Windows Services set to start Automatically.\r\n\r\nPARAMETER: -ScheduledTasks\r\n    These are tasks set in Task Scheduler to do something automatically at a specified interval.\r\n\r\nPARAMETER: -HideMicrosoftEntries\r\n    Hides Signed Microsoft Entries from the results.\r\n\r\nPARAMETER: -DestinationFolder\r\n    By default this script downloads autorunsc to the temp folder.\r\n\r\nPARAMETER: -DownloadUrl\r\n    URL to download Autoruns from.\r\n\r\nPARAMETER: -SkipSleep\r\n    Skips sleeping prior to downloading autorunsc.\r\n.OUTPUTS\r\n    None\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 10, Server 2012\r\n    Release Notes: Initial Release\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#&gt;\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    [Parameter()]\r\n    [String]$CustomField,\r\n    [Parameter()]\r\n    [Switch]$Startup = [System.Convert]::ToBoolean($env:checkLogonStartupEntries),\r\n    [Parameter()]\r\n    [Switch]$Boot = [System.Convert]::ToBoolean($env:checkBootEntries),\r\n    [Parameter()]\r\n    [Switch]$WinLogon = [System.Convert]::ToBoolean($env:checkWinlogonEntries),\r\n    [Parameter()]\r\n    [Switch]$AppInit = [System.Convert]::ToBoolean($env:checkAppinitEntries),\r\n    [Parameter()]\r\n    [Switch]$Explorer = [System.Convert]::ToBoolean($env:checkExplorerAddons),\r\n    [Parameter()]\r\n    [Switch]$Sidebar = [System.Convert]::ToBoolean($env:checkSidebarGadgets),\r\n    [Parameter()]\r\n    [Switch]$ImageHijacks = [System.Convert]::ToBoolean($env:checkImageHijacks),\r\n    [Parameter()]\r\n    [Switch]$IEAddons = [System.Convert]::ToBoolean($env:checkInternetExplorerAddons),\r\n    [Parameter()]\r\n    [Switch]$KnownDLLs = [System.Convert]::ToBoolean($env:checkKnownDlls),\r\n    [Parameter()]\r\n    [Switch]$WMIentries = [System.Convert]::ToBoolean($env:checkWmiEntries),\r\n    [Parameter()]\r\n    [Switch]$WinSockProtocols = [System.Convert]::ToBoolean($env:checkWinsockProtocol),\r\n    [Parameter()]\r\n    [Switch]$Codecs = [System.Convert]::ToBoolean($env:checkCodecs),\r\n    [Parameter()]\r\n    [Switch]$PrinterMonitor = [System.Convert]::ToBoolean($env:checkPrinterMonitorDlls),\r\n    [Parameter()]\r\n    [Switch]$LSAProviders = [System.Convert]::ToBoolean($env:checkLsaSecurityProviders),\r\n    [Parameter()]\r\n    [Switch]$Services = [System.Convert]::ToBoolean($env:checkAutostartServices),\r\n    [Parameter()]\r\n    [Switch]$ScheduledTasks = [System.Convert]::ToBoolean($env:checkScheduledTasks),\r\n    [Parameter()]\r\n    [Switch]$HideMicrosoftEntries = [System.Convert]::ToBoolean($env:hideMicrosoftEntries),\r\n    [Parameter()]\r\n    [String]$DestinationFolder = \"$env:Temp\",\r\n    [Parameter()]\r\n    [String]$DownloadUrl = \"https:\/\/download.sysinternals.com\/files\/Autoruns.zip\",\r\n    [Parameter()]\r\n    [Switch]$SkipSleep = [System.Convert]::ToBoolean($env:skipSleep)\r\n)\r\n\r\nbegin {\r\n\r\n    # If Script Forms are used replace the parameters\r\n    if ($env:destinationFolder -and $env:DestinationFolder -notlike \"null\") { $DestinationFolder = $env:destinationFolder }\r\n    if ($env:downloadUrl -and $env:downloadUrl -notlike \"null\") { $DownloadUrl = $env:downloadUrl }\r\n    if ($env:customFieldName -and $env:customFieldName -notlike \"null\") { $CustomField = $env:customFieldName }\r\n\r\n    if ($PSVersionTable.PSVersion.Major -lt 5) {\r\n        function Expand-Archive {\r\n            [CmdletBinding()]\r\n            param(\r\n                [Parameter()]\r\n                [String]$Path,\r\n                [Parameter()]\r\n                [String]$DestinationPath,\r\n                [Parameter()]\r\n                [Switch]$Force\r\n            )\r\n            begin {\r\n                Add-Type -assembly \"System.IO.Compression.FileSystem\"\r\n            }\r\n            process {\r\n                if ($Force -and (Test-Path $DestinationPath)) {\r\n                    $ZipFile = [System.IO.Compression.ZipFile]::OpenRead($Path)\r\n\r\n                    $ZipFile.Entries | ForEach-Object {\r\n                        $Destination = [System.IO.Path]::Combine($DestinationPath, $_.FullName)\r\n                        $DestinationDir = [System.IO.Path]::GetDirectoryName($Destination)\r\n                        if (-not (Test-Path $DestinationDir)) {\r\n                            New-Item -ItemType Directory -Path $DestinationDir -Force\r\n                        }\r\n                        [System.IO.Compression.ZipFileExtensions]::ExtractToFile($_, $Destination, $True)\r\n                    }\r\n                    $ZipFile.Dispose()\r\n                }\r\n                else {\r\n                    [System.IO.Compression.ZipFile]::ExtractToDirectory($Path, $DestinationPath)\r\n                }\r\n            }\r\n        }\r\n    }\r\n\r\n    # Handy download function\r\n    function Invoke-Download {\r\n        param(\r\n            [Parameter()]\r\n            [String]$URL,\r\n            [Parameter()]\r\n            [String]$Path,\r\n            [Parameter()]\r\n            [Switch]$SkipSleep\r\n        )\r\n\r\n        Write-Host \"URL Given, Downloading the file...\"\r\n\r\n        $SupportedTLSversions = [enum]::GetValues('Net.SecurityProtocolType')\r\n        if ( ($SupportedTLSversions -contains 'Tls13') -and ($SupportedTLSversions -contains 'Tls12') ) {\r\n            [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol::Tls13 -bor [System.Net.SecurityProtocolType]::Tls12\r\n        }\r\n        elseif ( $SupportedTLSversions -contains 'Tls12' ) {\r\n            [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12\r\n        }\r\n        else {\r\n            # Not everything requires TLS 1.2, but we'll try anyways.\r\n            Write-Warning \"TLS 1.2 and or TLS 1.3 isn't supported on this system. This download may fail!\"\r\n            if ($PSVersionTable.PSVersion.Major -lt 3) {\r\n                Write-Warning \"PowerShell 2 \/ .NET 2.0 doesn't support TLS 1.2.\"\r\n            }\r\n        }\r\n\r\n        $i = 1\r\n        While ($i -lt 4) {\r\n            if (-not ($SkipSleep)) {\r\n                $SleepTime = Get-Random -Minimum 3 -Maximum 60\r\n                Start-Sleep -Seconds $SleepTime\r\n            }\r\n\r\n            Write-Host \"Download Attempt $i\"\r\n\r\n            try {\r\n                $WebClient = New-Object System.Net.WebClient\r\n                $WebClient.DownloadFile($URL, $Path)\r\n            }\r\n            catch {\r\n                Write-Warning \"An error has occurred while downloading!\"\r\n            }\r\n\r\n            $File = Test-Path -Path $Path -ErrorAction SilentlyContinue\r\n            if ($File) {\r\n                $i = 4\r\n            }\r\n            else {\r\n                $i++\r\n            }\r\n        }\r\n\r\n        if (-not $File) { \r\n            Write-Error -Message \"File failed to download!\" -Category DeviceError -Exception (New-Object System.Exception)\r\n            Exit 1 \r\n        }\r\n    }\r\n\r\n    # Need to set Regkey to accept EULA\r\n    function Set-RegKey {\r\n        param (\r\n            $Path,\r\n            $Name,\r\n            $Value,\r\n            [ValidateSet(\"DWord\", \"QWord\", \"String\", \"ExpandedString\", \"Binary\", \"MultiString\", \"Unknown\")]\r\n            $PropertyType = \"DWord\"\r\n        )\r\n        if (-not $(Test-Path -Path $Path)) {\r\n            # Check if path does not exist and create the path\r\n            New-Item -Path $Path -Force | Out-Null\r\n        }\r\n        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) {\r\n            # Update property and print out what it was changed from and changed to\r\n            $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name\r\n            try {\r\n                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                Write-Error -Message \"[Error] Unable to Set registry key for $Name please see below error!\" -Category DeviceError -Exception (New-Object System.Exception)\r\n                Write-Error $_\r\n                exit 1\r\n            }\r\n            Write-Host \"$Path\\$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)\"\r\n        }\r\n        else {\r\n            # Create property with value\r\n            try {\r\n                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null\r\n            }\r\n            catch {\r\n                Write-Error -Message \"[Error] Unable to Set registry key for $Name please see below error!\" -Category DeviceError -Exception (New-Object System.Exception)\r\n                Write-Error $_\r\n                exit 1\r\n            }\r\n            Write-Host \"Set $Path\\$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)\"\r\n        }\r\n    }\r\n\r\n    function Set-NinjaProperty {\r\n        [CmdletBinding()]\r\n        Param(\r\n            [Parameter(Mandatory = $True)]\r\n            [String]$Name,\r\n            [Parameter()]\r\n            [String]$Type,\r\n            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]\r\n            $Value,\r\n            [Parameter()]\r\n            [String]$DocumentName\r\n        )\r\n\r\n        $Characters = $Value | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n        if($Characters -ge 10000){\r\n            throw [System.ArgumentOutOfRangeException]::New(\"Character limit exceeded, value is greater than 10,000 characters.\")\r\n        }\r\n    \r\n        # If we're requested to set the field value for a Ninja document we'll specify it here.\r\n        $DocumentationParams = @{}\r\n        if ($DocumentName) { $DocumentationParams[\"DocumentName\"] = $DocumentName }\r\n    \r\n        # This is a list of valid fields that can be set. If no type is given, it will be assumed that the input doesn't need to be changed.\r\n        $ValidFields = \"Attachment\", \"Checkbox\", \"Date\", \"Date or Date Time\", \"Decimal\", \"Dropdown\", \"Email\", \"Integer\", \"IP Address\", \"MultiLine\", \"MultiSelect\", \"Phone\", \"Secure\", \"Text\", \"Time\", \"URL\", \"WYSIWYG\"\r\n        if ($Type -and $ValidFields -notcontains $Type) { Write-Warning \"$Type is an invalid type! Please check here for valid types. https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality\" }\r\n    \r\n        # The field below requires additional information to be set\r\n        $NeedsOptions = \"Dropdown\"\r\n        if ($DocumentName) {\r\n            if ($NeedsOptions -contains $Type) {\r\n                # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.\r\n                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2&gt;&amp;1\r\n            }\r\n        }\r\n        else {\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2&gt;&amp;1\r\n            }\r\n        }\r\n    \r\n        # If an error is received it will have an exception property, the function will exit with that error information.\r\n        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }\r\n    \r\n        # The below type's require values not typically given in order to be set. The below code will convert whatever we're given into a format ninjarmm-cli supports.\r\n        switch ($Type) {\r\n            \"Checkbox\" {\r\n                # While it's highly likely we were given a value like \"True\" or a boolean datatype it's better to be safe than sorry.\r\n                $NinjaValue = [System.Convert]::ToBoolean($Value)\r\n            }\r\n            \"Date or Date Time\" {\r\n                # Ninjarmm-cli expects the GUID of the option to be selected. Therefore, the given value will be matched with a GUID.\r\n                $Date = (Get-Date $Value).ToUniversalTime()\r\n                $TimeSpan = New-TimeSpan (Get-Date \"1970-01-01 00:00:00\") $Date\r\n                $NinjaValue = $TimeSpan.TotalSeconds\r\n            }\r\n            \"Dropdown\" {\r\n                # Ninjarmm-cli is expecting the guid of the option we're trying to select. So we'll match up the value we were given with a guid.\r\n                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n                $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID\r\n    \r\n                if (-not $Selection) {\r\n                    throw [System.ArgumentOutOfRangeException]::New(\"Value is not present in dropdown\")\r\n                }\r\n    \r\n                $NinjaValue = $Selection\r\n            }\r\n            default {\r\n                # All the other types shouldn't require additional work on the input.\r\n                $NinjaValue = $Value\r\n            }\r\n        }\r\n    \r\n        # We'll need to set the field differently depending on if its a field in a Ninja Document or not.\r\n        if ($DocumentName) {\r\n            $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2&gt;&amp;1\r\n        }\r\n        else {\r\n            $CustomField = Ninja-Property-Set -Name $Name -Value $NinjaValue 2&gt;&amp;1\r\n        }\r\n    \r\n        if ($CustomField.Exception) {\r\n            throw $CustomField\r\n        }\r\n    }\r\n\r\n    # Test for elevation\r\n    function Test-IsElevated {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\r\n    }\r\n\r\n    $ExitCode = 0\r\n}\r\nprocess {\r\n\r\n    # Take the script parameters and translate them into Autoruns options.\r\n    if ($Startup) { $AutorunOptions = \"l\" }\r\n    if ($Boot) { $AutorunOptions = \"$($AutorunOptions)b\" }\r\n    if ($Winlogon) { $AutorunOptions = \"$($AutorunOptions)w\" }\r\n    if ($AppInit) { $AutorunOptions = \"$($AutorunOptions)d\" }\r\n    if ($Explorer) { $AutorunOptions = \"$($AutorunOptions)e\" }\r\n    if ($Sidebar) { $AutorunOptions = \"$($AutorunOptions)g\" }\r\n    if ($ImageHijacks) { $AutorunOptions = \"$($AutorunOptions)h\" }\r\n    if ($IEAddons) { $AutorunOptions = \"$($AutorunOptions)i\" }\r\n    if ($KnownDLLs) { $AutorunOptions = \"$($AutorunOptions)k\" }\r\n    if ($WMIentries) { $AutorunOptions = \"$($AutorunOptions)m\" }\r\n    if ($WinSockProtocols) { $AutorunOptions = \"$($AutorunOptions)n\" }\r\n    if ($Codecs) { $AutorunOptions = \"$($AutorunOptions)o\" }\r\n    if ($PrinterMonitor) { $AutorunOptions = \"$($AutorunOptions)p\" }\r\n    if ($LSAProviders) { $AutorunOptions = \"$($AutorunOptions)r\" }\r\n    if ($Services) { $AutorunOptions = \"$($AutorunOptions)s\" }\r\n    if ($ScheduledTasks) { $AutorunOptions = \"$($AutorunOptions)t\" }\r\n\r\n    if (-not $AutorunOptions){\r\n        Write-Error -Message \"No Autoruns options selected. Please at least select one option to search for autostart entries.\" -Category InvalidArgument -Exception (New-Object System.ArgumentNullException)\r\n        exit 1\r\n    }\r\n\r\n    # Download the file and unzip its contents\r\n    $DownloadArguments = @{\r\n        URL  = $DownloadUrl\r\n        Path = \"$DestinationFolder\\Autoruns.zip\"\r\n    }\r\n    if ($SkipSleep) { $DownloadArguments[\"SkipSleep\"] = $true }\r\n\r\n    # Download and unzip\r\n    Invoke-Download @DownloadArguments\r\n    Expand-Archive -Path \"$DestinationFolder\\Autoruns.zip\" -DestinationPath \"$DestinationFolder\\Autoruns\" -Force\r\n\r\n    if (-not (Test-Path \"$DestinationFolder\\Autoruns\\autorunsc64.exe\" -ErrorAction SilentlyContinue)) {\r\n        Write-Error -Message \"Failed to unzip Autoruns\" -Category DeviceError -Exception (New-Object System.Exception)\r\n        exit 1\r\n    }\r\n\r\n    # Now that we have the options create an argument list using those options\r\n    $ArgumentList = New-Object System.Collections.Generic.List[string]\r\n    $ArgumentList.Add(\"-a $AutorunOptions\")\r\n    $ArgumentList.Add(\"-h\")\r\n    $ArgumentList.Add(\"-c\")\r\n    $ArgumentList.Add(\"-s\")\r\n    if ($HideMicrosoftEntries) { $ArgumentList.Add(\"-m\") }\r\n\r\n    # Accept EULA\r\n    Set-RegKey -Path \"HKCU:\\SOFTWARE\\Sysinternals\\AutoRuns\" -Name \"EulaAccepted\" -Value 1\r\n\r\n    # Run autoruns and store the results as a csv and then import the results into powershell\r\n    Start-Process \"$DestinationFolder\\Autoruns\\autorunsc64.exe\" -ArgumentList $ArgumentList -NoNewWindow -RedirectStandardOutput \"$DestinationFolder\\Autoruns\\autorunsc.csv\" -Wait\r\n    $AutorunResults = Import-Csv \"$DestinationFolder\\Autoruns\\autorunsc.csv\" | Where-Object { $_.Entry } | Sort-Object Entry | Select-Object Entry, \"Entry Location\", \"Image Path\", Signer, MD5\r\n\r\n    if (-not ($AutorunResults)) {\r\n        Write-Error -Message \"No startup entries found. Is Autorunsc being blocked?\" -Category InvalidResult -Exception (New-Object System.ApplicationException)\r\n        $ExitCode = 1\r\n    }\r\n\r\n    # Set the custom field with the Autoruns results.\r\n    if ($CustomField) {\r\n        if ($PSVersionTable.PSVersion.Major -lt 3) {\r\n            Write-Warning \"Ninjarmm-cli does not support setting custom fields using PowerShell 2.0\"\r\n            $ExitCode = 1\r\n        }\r\n        \r\n        if ( -not (Test-IsElevated)) {\r\n            Write-Warning \"Script must be elevated in order to write to custom field.\"\r\n            $ExitCode = 1\r\n        }\r\n\r\n        try {\r\n            Write-Host \"Attempting to set Custom Field '$CustomField'.\"\r\n            $htmlTable = $AutorunResults | ConvertTo-HTML -Fragment\r\n            Set-NinjaProperty -Name $CustomField -Value $htmlTable\r\n            Write-Host \"Successfully set Custom Field '$CustomField'!\"\r\n        }\r\n        catch {\r\n            $_\r\n            $ExitCode = 1\r\n        }\r\n    }\r\n\r\n    # Clean up our leftover files.\r\n    Remove-Item \"$DestinationFolder\\Autoruns\" -Recurse -Force\r\n    Remove-Item \"$DestinationFolder\\Autoruns.zip\" -Force\r\n\r\n    # Output results into activity log. Using Format-List due to size of table.\r\n    $AutorunResults | Sort-Object Entry | Format-List\r\n\r\n    exit $ExitCode\r\n}\r\nend {\r\n    \r\n    \r\n    \r\n}<\/pre>\n<p>&nbsp;<\/p>\n\n<div class=\"in-context-cta\"><p style=\"text-align: center;\">Accedi a oltre 700 script nel Dojo di NinjaOne<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.ninjaone.com\/it\/prova-gratuita\/\">Ottieni l&#8217;accesso<\/a><\/p>\n<\/div>\n<h2>Analisi dettagliata<\/h2>\n<p>Lo script inizia impostando i parametri che consentono agli utenti di specificare vari tipi di voci di esecuzione automatica da sottoporre a verifica, come le applicazioni di avvio, gli eseguibili di avvio e le attivit\u00e0 pianificate. Scarica lo strumento Autorunsc, lo esegue con i parametri scelti e raccoglie i risultati.<\/p>\n<p><em>Passaggi chiave dello script:<\/em><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\"><strong>Inizializzazione dei parametri:<\/strong> Gli utenti possono selezionare il tipo di voci di esecuzione automatica che desiderano verificare, come elementi di avvio, attivit\u00e0 pianificate o servizi.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\"><strong>Scaricare Autorunsc:<\/strong> Lo script scarica automaticamente Autorunsc da Sysinternals.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\"><strong>Esecuzione e gestione degli output:<\/strong> Autorunsc viene eseguito con i parametri specificati e il suo output viene formattato in un formato leggibile.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"4\" data-aria-level=\"1\"><strong>Scrittura del campo personalizzato:<\/strong> opzionalmente, i risultati possono essere scritti in un campo personalizzato, a condizione che lo script sia eseguito con privilegi elevati.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"5\" data-aria-level=\"1\"><strong>Pulizia:<\/strong> dopo l&#8217;esecuzione, lo script ripulisce i file scaricati e generati temporaneamente.<\/li>\n<\/ul>\n<h2>Casi d&#8217;uso potenziali<\/h2>\n<p>Immagina un professionista IT che sospetta l&#8217;esecuzione di software non autorizzato o dannoso all&#8217;avvio nei sistemi della propria organizzazione. L&#8217;esecuzione di questo script consente di verificare rapidamente tutti gli elementi di avvio e di identificare eventuali applicazioni indesiderate o sospette, migliorando la sicurezza e le prestazioni del sistema.<\/p>\n<h2>Confronti<\/h2>\n<p>I metodi tradizionali di verifica degli elementi di avvio spesso prevedono il controllo manuale di varie posizioni del sistema o l&#8217;utilizzo di strumenti separati per i diversi tipi di avvio. Lo script semplifica e consolida il processo, utilizzando un unico strumento (Autorunsc) per verificare una gamma completa di voci di autorun. Rispetto ai metodi manuali, questo script consente di risparmiare tempo e di ridurre la probabilit\u00e0 di trascurare voci critiche di esecuzione automatica.<\/p>\n<h2>Domande frequenti<\/h2>\n<p>D1: Questo script \u00e8 adatto a tutte le versioni di Windows?<br \/>\nR1: Lo script \u00e8 progettato per Windows 10 e Server 2012 e versioni successive.<\/p>\n<p>D2: Ho bisogno di privilegi amministrativi per eseguire questo script?<br \/>\nR2: S\u00ec, per alcune operazioni, come la scrittura in un campo personalizzato, sono necessari i privilegi amministrativi.<\/p>\n<p>D3: Lo script \u00e8 in grado di identificare il malware?<br \/>\nR3: Sebbene sia in grado di identificare elementi di avvio non autorizzati o sconosciuti, sono necessarie ulteriori analisi per determinare se si tratta di malware.<\/p>\n<h2>Implicazioni<\/h2>\n<p>L&#8217;uso di questo script per la verifica degli elementi di avvio \u00e8 significativo per la sicurezza informatica. L&#8217;identificazione e la gestione delle voci di esecuzione automatica possono impedire l&#8217;esecuzione di <a href=\"https:\/\/www.ninjaone.com\/it\/blog\/5-passi-per-rimuovere-il-malware-dal-computer\/\" target=\"_blank\" rel=\"noopener\">malware<\/a> all&#8217;avvio e migliorare le prestazioni del sistema. Tuttavia, \u00e8 importante analizzare attentamente i risultati delle verifiche per evitare falsi positivi e garantire che il software legittimo non venga inavvertitamente bloccato.<\/p>\n<h2>Raccomandazioni<\/h2>\n<p>Le best practice nell&#8217;utilizzo di questo script includono:<\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"1\" data-aria-level=\"1\">Verifiche regolari per mantenere l&#8217;integrit\u00e0 del sistema.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"2\" data-aria-level=\"1\">Eseguire lo script con privilegi amministrativi per ottenere la piena funzionalit\u00e0.<\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" data-aria-posinset=\"3\" data-aria-level=\"1\">Analisi attenta dei risultati delle verifiche per identificare e prendere provvedimenti adeguati contro le voci di esecuzione automatica non autorizzate o non necessarie.<\/li>\n<\/ul>\n<h2>Considerazioni finali<\/h2>\n<p>Nel contesto di una gestione efficiente del sistema IT, strumenti come NinjaOne, abbinati a efficaci script come lo script PowerShell di verifica con Autorunsc, possono migliorare significativamente la capacit\u00e0 di un professionista IT di mantenere l&#8217;integrit\u00e0 e la sicurezza del sistema. La piattaforma completa di gestione IT di NinjaOne, integrata con tali <a href=\"https:\/\/www.ninjaone.com\/it\/script-hub\/\" target=\"_blank\" rel=\"noopener\">script<\/a>, offre una soluzione efficiente per il <a href=\"https:\/\/www.ninjaone.com\/it\/gestione-impresa\/infrastruttura\/\" target=\"_blank\" rel=\"noopener\">monitoraggio, la gestione e la protezione delle infrastrutture IT<\/a>.<\/p>\n","protected":false},"author":35,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_lmt_disableupdate":"no","_lmt_disable":""},"operating_system":[4212],"use_cases":[4269],"class_list":["post-251511","script_hub","type-script_hub","status-publish","hentry","script_hub_category-windows"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/script_hub\/251511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/script_hub"}],"about":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/types\/script_hub"}],"author":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/comments?post=251511"}],"wp:attachment":[{"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/media?parent=251511"}],"wp:term":[{"taxonomy":"script_hub_category","embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/operating_system?post=251511"},{"taxonomy":"use_cases","embeddable":true,"href":"https:\/\/www.ninjaone.com\/it\/wp-json\/wp\/v2\/use_cases?post=251511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}