Registry Keys

Adding your executable to one one of these "run keys" will cause the executable to run when a user logs in.

An example of these run keys are:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To abuse this for persistence, we can simply issue the following command

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v NameOfKey /t REG_SZ /d c:\program /f

Note that this only works in the context of the current user, to make this apply to all users on the machine, you will have to use the HKLM hive. Doing this requires admin privileges

More examples of run keys are:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce