Run / RunOnce Persistence Keys

windowsPersistence MechanismsDisk Image

Location

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run (per-user) and SOFTWARE\Microsoft\Windows\CurrentVersion\Run (machine-wide)

Description

Registry Run and RunOnce keys that specify programs to execute at user logon (NTUSER.DAT) or system startup (SOFTWARE hive). RunOnce entries are deleted after execution. Both per-user and machine-wide variants exist.

Forensic Value

Run keys are the most common registry persistence mechanism used by malware and attackers. Entries contain the full command line executed at every logon, revealing persistence payloads including encoded PowerShell, mshta calls, or paths to dropped binaries. RunOnce entries execute once and self-delete, but may still be recovered from registry transaction logs or VSS snapshots. Comparing current entries against a known-good baseline immediately identifies attacker additions.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperAutoruns (Sysinternals)

Used in Procedures

Remove Malware, Backdoors, and Persistence Mechanisms

eradicate

Comprehensive Persistence Mechanism Sweep

eradicate

Eradication Verification Checklist

eradicate

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical