Run/RunOnce Registry Keys

The Run and RunOnce keys specify what programs will start during a logon event. These keys are located in both the NTUSER.dat and SOFTWARE hives.

Analysis Value

pageFile Path

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	✅
Windows XP	✅

Artifact File Location(s)

🔌 Offline System

These keys may exist in two locations:

NTUSER.DAT

• Files

  • (Windows Vista - 10): %UserProfile%\NTUSER.dat

  • (Windows XP): C:\Documents and Settings\{USER_NAME}\NTUSER.dat

• Keys

  • \Software\Microsoft\Windows\CurrentVersion\Run

  • \Software\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE Hive

• File: %SystemRoot%\System32\Config\SOFTWARE

• Keys

  • \SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

🔋 Live System

These keys may exist in two locations:

NTUSER.DAT

• Keys

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE Hive

• Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Artifact Parsers

• RegistryExplorer (Eric Zimmerman)

• AutoRuns (Sysinternals)

Artifact Interpretation

NTUSER.DAT

The following keys will contain full paths to the executables that will start on logon for the account that owns this particular NTUSER.DAT hive:

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce

Disabled autoruns will appear in a sub-key named "AutorunsDisabled."

On a live system, the HKEY_CURRENT_USER registry hive is the loaded NTUSER.dat hive.

SOFTWARE

The following keys will contain full paths to the executables that will start on logon for any user on the system:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Analysis Tips

It is possible to obtain evidence of execution for processes that have executed as a result of these registry keys using the EventID 9707: Command Execution Started event.

If the system is booted into Safe Mode, these keys will be ignored. A RunOnce key proceeded by an asterisk will ignore this restriction.

The RunOnce entry is typically deleted before the command is executed, regardless of its return value. If proceeded by and exclamation point, the RunOnce key will be deleted after the command has executed, and only if the command returned successfully.