Run/RunOnce Registry Keys

The Run and RunOnce keys specify what programs will start during a logon event. These keys are located in both the NTUSER.dat and SOFTWARE hives.

Analysis Value

File Path

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	✅
Windows XP	✅

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

✅

Windows XP

✅

Artifact File Location(s)

These keys may exist in two locations:

NTUSER.DAT

Files
- (Windows Vista - 10): %UserProfile%\NTUSER.dat
- (Windows XP): C:\Documents and Settings\{USER_NAME}\NTUSER.dat
Keys
- \Software\Microsoft\Windows\CurrentVersion\Run
- \Software\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE Hive

File: %SystemRoot%\System32\Config\SOFTWARE
Keys
- \SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

These keys may exist in two locations:

NTUSER.DAT

Keys
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE Hive

Keys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Artifact Parsers

RegistryExplorer (Eric Zimmerman)
AutoRuns (Sysinternals)

Artifact Interpretation

NTUSER.DAT

The following keys will contain full paths to the executables that will start on logon for the account that owns this particular NTUSER.DAT hive:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce

Disabled autoruns will appear in a sub-key named "AutorunsDisabled."

On a live system, the HKEY_CURRENT_USER registry hive is the loaded NTUSER.dat hive.

SOFTWARE

The following keys will contain full paths to the executables that will start on logon for any user on the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Analysis Tips

It is possible to obtain evidence of execution for processes that have executed as a result of these registry keys using the EventID 9707: Command Execution Started event.

If the system is booted into Safe Mode, these keys will be ignored. A RunOnce key proceeded by an asterisk will ignore this restriction.

The RunOnce entry is typically deleted before the command is executed, regardless of its return value. If proceeded by and exclamation point, the RunOnce key will be deleted after the command has executed, and only if the command returned successfully.

Last updated 1 year ago