Run/RunOnce Registry Keys
Last updated
Last updated
The Run
and RunOnce
keys specify what programs will start during a logon event. These keys are located in both the NTUSER.dat and SOFTWARE hives.
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
✅
Server 2003
✅
Windows XP
✅
These keys may exist in two locations:
NTUSER.DAT
Files
(Windows Vista - 10): %UserProfile%\NTUSER.dat
(Windows XP): C:\Documents and Settings\{USER_NAME}\NTUSER.dat
Keys
\Software\Microsoft\Windows\CurrentVersion\Run
\Software\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE Hive
File: %SystemRoot%\System32\Config\SOFTWARE
Keys
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
RegistryExplorer (Eric Zimmerman)
AutoRuns (Sysinternals)
The following keys will contain full paths to the executables that will start on logon for the account that owns this particular NTUSER.DAT
hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
Disabled autoruns will appear in a sub-key named "AutorunsDisabled."
The following keys will contain full paths to the executables that will start on logon for any user on the system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
It is possible to obtain evidence of execution for processes that have executed as a result of these registry keys using the EventID 9707: Command Execution Started event.