Run / RunOnce Keys
SOFTWARE\Microsoft\Windows\CurrentVersion\RunRun and RunOnce keys are the oldest and most documented persistence mechanism in the Windows ecosystem. Any value placed here automatically executes its payload at user logon or system boot — system-wide from the SOFTWARE hive or per-user from NTUSER.DAT. Adversaries still rely on this daily, banking on sheer volume of legitimate entries to hide in plain sight.
Key Name
{Arbitrary Value Name} — REG_SZ containing the command line to execute. RunOnce entries self-delete after a single execution.
Trace Type
Persistence Execution
Hive
SOFTWARE (machine-wide) and NTUSER.DAT (per-user, via
HKCU\SOFTWARE\...)
Last Write Time
The key's Last Write Time marks when an entry was last added or modified — a precise timestamp for when persistence was installed or updated by an attacker.
User Specific
Yes (NTUSER.DAT variant) / No (SOFTWARE hive variant applies to all users at machine scope)
Forensic Value
- Confirm active persistence: Any unexpected entry here is a red flag. Sophisticated actors may pivot from Run keys to more stealthy methods like AppInit_DLLs to maintain a deeper foothold.
- Timestamp the compromise: The Last Write Time on the Run key directly dates when the persistence was installed. Compare this with Scheduled Tasks creation times to identify multi-stage infection vectors.
- Identify naming camouflage: Payloads frequently use names like
WindowsUpdate.exein user-writable paths to blend with legitimate system entries.
For more Info check out these Articles: AppInit, ScheduledTasks