Skip to content
Reverse Engineering
Persistencebeginner

Registry Run Keys

Malware writes a value under a Run/RunOnce registry key so its executable launches automatically every time the user logs on, the oldest and most common Windows persistence mechanism.

The simplest and most enduring Windows persistence technique is to add a value to one of the "Run" registry keys. Windows reads these keys during the logon sequence and launches every command line they contain. Because the mechanism is documented, reliable, and requires no special privileges for the per-user hives, almost every commodity malware family supports it.

The data of the registry value is simply a command line — usually the full path to the malware's executable, sometimes with arguments or a wrapping interpreter such as mshta, rundll32, or powershell. Variants under RunOnce execute a single time and then delete themselves, which is favoured by droppers and installers.

How it works

The two most-abused keys are the per-user and machine-wide Run keys:

text
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

A typical entry written by a dropper looks like:

text
Key:   HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name:  OneDriveUpdate
Data:  "C:\Users\Public\svchost.exe" -silent

The HKLM variants require administrative rights but persist for all users and survive a per-user cleanup. Attackers also abuse less-watched relatives such as ...\RunServices, ...\Policies\Explorer\Run, and the WOW6432Node redirected copies on 64-bit systems. The value name is frequently chosen to masquerade as a legitimate updater (OneDriveUpdate, Adobe, WindowsDefender).

Detection & analysis

Static analysis:

  • In a captured sample, look for the literal subkey strings (CurrentVersion\\Run) and calls to RegSetValueExW/RegCreateKeyExW. Obfuscated samples may build these paths as stack strings — run FLOSS first.
  • Triage a live or imaged host with Autoruns (Sysinternals): the "Logon" tab enumerates every Run/RunOnce key and flags unsigned or unverified entries. Autoruns' "Hide Microsoft Entries" filter quickly isolates suspicious values.
  • Offline registry forensics: parse NTUSER.DAT (per-user) and the SOFTWARE hive (machine-wide) with RegRipper or Registry Explorer; the value's last-write timestamp dates the infection.

Dynamic analysis:

  • Run the sample under Procmon filtered on Operation is RegSetValue and Path contains \Run to capture the exact key, value name, and data as they are written.
  • Sysmon Event ID 13 (RegistryEvent: Value Set) records Run-key writes with the writing process image — the highest-signal telemetry for this technique. Sysmon Event ID 12 covers key creation.

Detection rule hint:

Alert on any process writing a value under \CurrentVersion\Run or \RunOnce whose data points outside trusted install directories (e.g., into %AppData%, %Temp%, %Public%, or ProgramData), or whose writing process is a script interpreter or freshly dropped binary. Cross-reference the value name against a baseline of known-good autoruns.

Votes

Comments(0)