# Persistence

#### Startup

* C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
* C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

**The following run keys are created by default on Windows systems**

* HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

**The following Registry keys can be used to set startup folder items for persistence**

* HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserShellFolders
* HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders
* HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders
* HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserShellFolders

**The following Registry keys can control automatic startup of services during boot**

* HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

**Using policy settings to specify startup programs creates corresponding values in either of two Registry keys**

* HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY\_CURRENT\_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

#### The registry presents Exclusions path on Windows Defender

* HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\\

***

{% hint style="success" %}
This knowledge has been compiled from resources provided by [LetsDefend](https://letsdefend.io/).
{% endhint %}