Run/RunOnce Registry Keys

The Run and RunOnce keys specify what programs will start during a logon event. These keys are located in both the NTUSER.dat and SOFTWARE hives.

Analysis Value

pageFile Path

Operating System Availability

Major VersionSupportMajor VersionSupport

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

Artifact File Location(s)

These keys may exist in two locations:


  • Files

    • (Windows Vista - 10): %UserProfile%\NTUSER.dat

    • (Windows XP): C:\Documents and Settings\{USER_NAME}\NTUSER.dat

  • Keys

    • \Software\Microsoft\Windows\CurrentVersion\Run

    • \Software\Microsoft\Windows\CurrentVersion\RunOnce


  • File: %SystemRoot%\System32\Config\SOFTWARE

  • Keys

    • \SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Artifact Parsers

  • RegistryExplorer (Eric Zimmerman)

  • AutoRuns (Sysinternals)

Artifact Interpretation


The following keys will contain full paths to the executables that will start on logon for the account that owns this particular NTUSER.DAT hive:

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce

Disabled autoruns will appear in a sub-key named "AutorunsDisabled."

On a live system, the HKEY_CURRENT_USER registry hive is the loaded NTUSER.dat hive.


The following keys will contain full paths to the executables that will start on logon for any user on the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Analysis Tips

It is possible to obtain evidence of execution for processes that have executed as a result of these registry keys using the EventID 9707: Command Execution Started event.

If the system is booted into Safe Mode, these keys will be ignored. A RunOnce key proceeded by an asterisk will ignore this restriction.

The RunOnce entry is typically deleted before the command is executed, regardless of its return value. If proceeded by and exclamation point, the RunOnce key will be deleted after the command has executed, and only if the command returned successfully.

Last updated