Created
August 3, 2025 07:01
-
-
Save simonholm/c1db0c46706099af8ffe30f3315a1eb0 to your computer and use it in GitHub Desktop.
register remover paste
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $logFile = "$env:USERPROFILE\stealth_app_monitor.log" | |
| $scanTime = Get-Date -Format "yyyy-MM-dd HH:mm:ss" | |
| "`n[Scan started: $scanTime]" | Out-File -FilePath $logFile -Append | |
| # 1. Scan LocalAppData user programs (per-user installs) | |
| $appDirs = Get-ChildItem "$env:LOCALAPPDATA\Programs" -Directory -ErrorAction SilentlyContinue | |
| $registeredApps = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisplayName | |
| foreach ($app in $appDirs) { | |
| $name = $app.Name | |
| if (-not ($registeredApps -contains $name)) { | |
| $appPath = $app.FullName | |
| $lastWrite = $app.LastWriteTime.ToString("yyyy-MM-dd HH:mm") | |
| "⚠️ Unregistered app detected: $name (`"$appPath`") [Modified: $lastWrite]" | Out-File -FilePath $logFile -Append | |
| } | |
| } | |
| # 2. Optionally list suspicious Start Menu shortcuts | |
| $shortcuts = Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs" -Recurse -Include *.lnk -ErrorAction SilentlyContinue | | |
| Where-Object { $_.Target -like "$env:LOCALAPPDATA\Programs\*" } | |
| foreach ($shortcut in $shortcuts) { | |
| "🧭 Shortcut to user-installed app: $($shortcut.FullName)" | Out-File -FilePath $logFile -Append | |
| } | |
| "[Scan complete: $(Get-Date -Format "HH:mm:ss")]" | Out-File -FilePath $logFile -Append | |
| notepad $logFile | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment