Run / RunOnce Persistence Keys
WindowsPersistence MechanismsDisk Image
Location
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run (per-user) and SOFTWARE\Microsoft\Windows\CurrentVersion\Run (machine-wide)Description
Registry Run and RunOnce keys that specify programs to execute at user logon (NTUSER.DAT) or system startup (SOFTWARE hive). RunOnce entries are deleted after execution. Both per-user and machine-wide variants exist.
Forensic Value
Run keys are the most common registry persistence mechanism used by malware and attackers. Entries contain the full command line executed at every logon, revealing persistence payloads including encoded PowerShell, mshta calls, or paths to dropped binaries. RunOnce entries execute once and self-delete, but may still be recovered from registry transaction logs or VSS snapshots. Comparing current entries against a known-good baseline immediately identifies attacker additions.
Tools Required
KAPERegistry Explorer (Eric Zimmerman)RegRipperAutoruns (Sysinternals)
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target RegistryHives
reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" && reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Autoruns
autorunsc.exe -a l -ct -h -s -v -vt > C:\output\autoruns_logon.csv
RegRipper
rip.exe -r C:\output\NTUSER.DAT -p run
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
MITRE ATT&CK Techniques
T1547.001T1112