Run/RunOnce/RunOnceEx

The Run, RunOnce and RunOnceEx registry keys are used by both legitimate and malicious programs to launch themselves after user logon. All three are setup the same way but there a few differences



Run : Run keys will run the associated command on every logon until the key is removed.
RunOnce : As the name implies, RunOnce keys will only run the command once and then the key is automatically deleted.
RunOnceEx : RunOnceEx act like RunOnce keys but will only be deleted if the command executes successfully.


The Run key locations (dependent on Windows version) are:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


Run keys are by far the most common method of persistence and are the first place you should start looking when trying to track down a piece of malware. Keep in mind though they are often used in combination with other techniques so removing the key doesn't guarantee that the malware won't start some other way.