This manuscript mainly describes how to implement a real-time startup monitor and make it as a real-time malware blocker. The startup monitor will issue a warning dialog to user immediately when a registry run key is changed by some program to make itself auto-start. If the concerned auto-start program is not what the user is currently installing, then the user can intuitively click the "No" button to let startup monitor cancel registry variation and protect computer from being occupied by malware. WMI (Windows Management Instrumentation) is mainly used to achieve the goal of real-time monitoring on changes of registry run keys.