The Run, RunOnce and RunOnceEx registry keys are used by both legitimate and malicious programs to launch themselves after user logon. All three are setup the same way but there a few differences
Run : Run keys will run the associated command on every logon until the key is removed.
RunOnce : As the name implies, RunOnce keys will only run the command once and then the key is automatically deleted.
RunOnceEx : RunOnceEx act like RunOnce keys but will only be deleted if the command executes successfully.
The Run key locations (dependent on Windows version) are:
Run keys are by far the most common method of persistence and are the first place you should start looking when trying to track down a piece of malware. Keep in mind though they are often used in combination with other techniques so removing the key doesn't guarantee that the malware won't start some other way.