These scripts can create and compare registry baselines. By default, the registry keys inspected are common persistence locations (such as Run and RunOnce keys). You should first take a baseline of a known-good system using Generate-RegistryBaseline, and then use the Test-RegistryBaseline script to compare the baseline output with another running system.
The -TakeBaseline switch is used to create a new baseline. The registry keys that are checked are set by the -BaselineKeys option, which by default is set to a list of common persistence locations. You may also specify a -Sid parameter in order to only scan user keys for a specific user (or a wild-card user). The Sid value is a wildcard by default in order to inventory all user hives.
PS C:\> Generate-RegistryBaseline | ConvertTo-Json | Out-File "baseline.json"
PS C:\> PS C:\> Generate-RegistryBaseline -Sid "S-1-5*" | ConvertTo-Json | Out-File "baseline.json"
PS C:\>PS C:\> Get-Content "baseline.json" | ConvertFrom-Json | Test-RegistryBaseline
Key Name Baseline Value
--- ---- -------- -----
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run This is Bad %APPDATA%\malware.exe