Registry Run Keys / Startup Folder
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will also cause the program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is: C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
· HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run