# Run/RunOnce Registry Keys The `Run` and `RunOnce` keys specify what programs will start during a logon event. These keys are located in both the NTUSER.dat and SOFTWARE hives. ## Analysis Value {% content-ref url="../../artifacts-by-activity/file-activity/file-path" %} [file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ✅ | Server 2003 | ✅ | | Windows XP | ✅ | | | ## Artifact File Location(s) {% tabs %} {% tab title="🔌 Offline System" %} These keys may exist in two locations: **NTUSER.DAT** * Files * (Windows Vista - 10): `%UserProfile%\NTUSER.dat` * (Windows XP): `C:\Documents and Settings\{USER_NAME}\NTUSER.dat` * Keys * `\Software\Microsoft\Windows\CurrentVersion\Run` * `\Software\Microsoft\Windows\CurrentVersion\RunOnce` **SOFTWARE Hive** * File: `%SystemRoot%\System32\Config\SOFTWARE` * Keys * `\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * `\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` {% endtab %} {% tab title="🔋 Live System" %} These keys may exist in two locations: **NTUSER.DAT** * Keys * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` **SOFTWARE Hive** * Keys * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` {% endtab %} {% endtabs %} ## Artifact Parsers * RegistryExplorer (Eric Zimmerman) * AutoRuns (Sysinternals) ## Artifact Interpretation ### NTUSER.DAT The following keys will contain full paths to the executables that will start on **logon** for the account that owns this particular `NTUSER.DAT` hive: * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` Disabled autoruns will appear in a sub-key named "AutorunsDisabled." {% hint style="info" %} On a live system, the HKEY\_CURRENT\_USER registry hive is the loaded NTUSER.dat hive. {% endhint %} ### SOFTWARE The following keys will contain full paths to the executables that will start on **logon** for any user on the system: * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` ## Analysis Tips It is possible to obtain evidence of execution for processes that have executed as a result of these registry keys using the [evtx-9707-shell-core](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core "mention") event. {% hint style="info" %} If the system is booted into Safe Mode, these keys will be ignored. A `RunOnce` key proceeded by an asterisk will ignore this restriction. {% endhint %} {% hint style="info" %} The `RunOnce` entry is typically deleted before the command is executed, regardless of its return value. If proceeded by and exclamation point, the `RunOnce` key will be deleted after the command has executed, and only if the command returned successfully. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.