Persistence

Some Registry need to investigate

Startup

• C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

The following run keys are created by default on Windows systems

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following Registry keys can be used to set startup folder items for persistence

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserShellFolders

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserShellFolders

The following Registry keys can control automatic startup of services during boot

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

The registry presents Exclusions path on Windows Defender

• HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\

---

This knowledge has been compiled from resources provided by LetsDefend.