| Plugin | Hive | What it gives |
|---|---|---|
| run | SOFTWARE / NTUSER | Run keys |
| runonceex | SOFTWARE | RunOnceEx |
| cmdproc | NTUSER | cmd autorun |
| appinitdlls | SOFTWARE | DLL injection |
| appcertdlls | SYSTEM | AppCert DLL persistence |
| imagefile | SOFTWARE | IFEO hijacks |
| svcdll | SYSTEM | Service DLLs |
| services | SYSTEM | Services |
| taskcache | SOFTWARE | Scheduled tasks |
| tasks | SOFTWARE | Task definitions |
| scriptleturl | SOFTWARE / USRCLASS | COM hijack |
| inprocserver | SOFTWARE | CLSID DLL hijack |
| shelloverlay | SOFTWARE | Shell overlay hijack |
| winlogon_tln | SOFTWARE | Winlogon persistence |
BLUE TEAM / DFI / ARTEFACT / WINDOWS / REGISTRY / RegRipper