Intro
Want to start Outlook on login? Easy. Start malware on login…even in safe mode? Just as easy.
Registry run keys in Windows help start programs, scripts, or commands when your computer boots up or when you log in. They make managing apps and services easier when it comes to IT management or enhancing the user experience by removing the steps a user needs to complete when logging in. Want to start Outlook on login? Easy. Start malware on login…even in safe mode? Just as easy. Adversaries can also use these keys for malicious purposes to ensure persistence on the compromised host.
Explained
| Registry Key | Description |
HKCU:\Software\Microsoft\Windows\CurrentVersion\Run | Programs, scripts, or commands placed in this key will run automatically when the current user logs on to the system. Entries in this key apply only to the current user, not to all users on the system. e.g., New-ItemProperty -Path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Run” -Name “StartMalware” -Value “C:\Windows\Malware.exe” -PropertyType “String” e.g., reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v “StartMalware” /t REG_SZ /d “C:\Windows\Malware.exe” |
HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce | Programs, scripts, or commands placed in this key will run only once when the current user logs on to the system. After running, the entries will be removed from this key, regardless of whether the execution was successful. This key is also specific to the current user. By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe Mode.You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails, the associated program will not be asked to run the next time you start the computer.e.g., New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "!StartMalware" -Value "C:\Windows\Malware.exe" -PropertyType "String"e.g., reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce” /v “!StartMalware” /t REG_SZ /d “C:\Windows\Malware.exe” e.g., New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "*!StartMalware" -Value "C:\Windows\Malware.exe" -PropertyType "String"e.g., reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” /v “*!StartMalware” /t REG_SZ /d “C:\Windows\Malware.exe” |
HKLM:\Software\Microsoft\Windows\CurrentVersion\Run | Programs, scripts, or commands placed in this key will run automatically when any user logs on to the system. Entries in this key apply to all users on the system. |
HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce | Programs, scripts, or commands placed in this key will run only once when any user logs on to the system. After running, the entries will be removed from this key, regardless of whether the execution was successful. This key applies to all users on the system. By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe Mode.You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails, the associated program will not be asked to run the next time you start the computer.e.g., New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "!StartMalware" -Value "C:\Windows\Malware.exe" -PropertyType "String"e.g., reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce” /v “!StartMalware” /t REG_SZ /d “C:\Windows\Malware.exe” e.g., New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "*!StartMalware" -Value "C:\Windows\Malware.exe" -PropertyType "String"e.g., reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce” /v “*!StartMalware” /t REG_SZ /d “C:\Windows\Malware.exe” |
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx | Similar to the RunOnce key, the RunOnceEx key allows you to specify programs, scripts, or commands to run only once. However, this key provides additional features, such as running items in a specific order and displaying a custom title while items are running. This key applies to all users on the system. |
HKLM:\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | This key is used by Windows NT-based operating systems (such as Windows 2000) and is not applicable to modern Windows versions. In those older systems, programs, scripts, or commands placed in this key would run once as services during the system startup. |
HKCU:\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | This key is also used by Windows NT-based operating systems and is not applicable to modern Windows versions. In those older systems, programs, scripts, or commands placed in this key would run once as services for the current user during the system startup. |
HKLM:\Software\Microsoft\Windows\CurrentVersion\RunServices | Like RunServicesOnce, this key is used by Windows NT-based operating systems and is not applicable to modern Windows versions. In those older systems, programs, scripts, or commands placed in this key would run as services during system startup and continue running in the background. |
HKCU:\Software\Microsoft\Windows\CurrentVersion\RunServices | Similar to the other RunServices keys, this key is used by Windows NT-based operating systems and is not applicable to modern Windows versions. In those older systems, programs, scripts, or commands placed in this key would run as services for the current user during system startup and continue running in the background. |
HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Programs, scripts, or commands placed in this key will run automatically when any user logs on to the system. This key is typically used in corporate or managed environments, as it can be controlled by Group Policy settings. Entries in this key apply to all users on the system. |
HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Programs, scripts, or commands placed in this key will run automatically when the current user logs on to the system. This key can also be controlled by Group Policy settings in a corporate or managed environment but only applies to the current user. Using this key allows administrators to enforce specific startup behavior for individual users rather than applying settings system-wide. |
Collecting Evidence
The following script will collect evidence about the most common run registry keys and output results to a csv file found at C:\temp\run_registry_keys.csv.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
$RegistryKeys = @(
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunServices",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunServices",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
)
$Results = @()
$ExcludedProperties = @("PSPath", "PSParentPath", "PSChildName", "PSDrive", "PSProvider")
foreach ($KeyPath in $RegistryKeys) {
try {
$KeyItems = Get-Item -Path $KeyPath -ErrorAction Stop
$KeyProperties = $KeyItems | Get-ItemProperty
foreach ($PropertyName in $KeyProperties.PSObject.Properties.Name) {
if ($ExcludedProperties -notcontains $PropertyName) {
$RemoveCommand = "Remove-ItemProperty -Path `"$KeyPath`" -Name `"$PropertyName`""
$Result = New-Object PSObject -Property @{
RegistryKey = $KeyPath
PropertyName = $PropertyName
PropertyValue = $KeyProperties.$PropertyName
RemoveCommand = $RemoveCommand
}
$Results += $Result
}
}
if ($KeyPath -eq "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx") {
$KeyItems = Get-ChildItem -Path $KeyPath -Recurse
foreach ($SubKey in $KeyItems) {
$SubKeyProperties = $SubKey | Get-ItemProperty
foreach ($SubPropertyName in $SubKeyProperties.PSObject.Properties.Name) {
if ($ExcludedProperties -notcontains $SubPropertyName) {
$RemoveCommand = "Remove-ItemProperty -Path `"$($SubKey.PSPath.Replace('Microsoft.PowerShell.Core\Registry::', ''))`" -Name `"$SubPropertyName`""
$Result = New-Object PSObject -Property @{
RegistryKey = $SubKey.PSPath
PropertyName = $SubPropertyName
PropertyValue = $SubKeyProperties.$SubPropertyName
RemoveCommand = $RemoveCommand
}
$Results += $Result
}
}
}
}
}
catch {
Write-Host "Error accessing registry key: $KeyPath" -ForegroundColor Red
Continue
}
}
$Results | Select-Object RegistryKey, PropertyName, PropertyValue, RemoveCommand | Export-Csv -Path "C:\temp\run_registry_keys.csv" -NoTypeInformation
Conclusion
After going through all these run keys, it’s clear that they play a critical role in automating the execution of programs, scripts, or commands during system startup or user login. However, we also need to be cautious, as malicious actors can use these keys for their benefit. It’s essential to keep an eye on any suspicious activity in these registry keys.