Modify

Scheduled Tasks

schtasks /create /sc <ScheduleType> /tn <TaskName> /tr <TaskRun>

Creates a scheduled task (CMD).

New-ScheduledTask -Action <Action> -Trigger <Trigger>

Creates a new scheduled task object (PowerShell).

Register-ScheduledTask -TaskName <TaskName> -InputObject <ScheduledTask>

Registers a scheduled task (PowerShell).

Registry

Adds an auto-start entry for the current user (CMD).

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v <ValueName> /d <ExecutablePath>

Adds an auto-start entry for all users (CMD).

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v <ValueName> /d <ExecutablePath>

Adds an auto-start entry for the current user (PowerShell).

Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name <ValueName> -Value <ExecutablePath>

Adds an auto-start entry for all users (PowerShell).

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run' -Name <ValueName> -Value <ExecutablePath>

Startup Folder

Copies a file to the current user's startup folder (CMD).

copy <FilePath> "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\"

Copies a file to the current user's startup folder (PowerShell).

Copy-Item <FilePath> -Destination "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\"

Services

Creates a new service set to start automatically (CMD).

sc create <ServiceName> binPath= "<PathToExecutable>" start=auto

Creates a new service set to start automatically (PowerShell).

New-Service -Name <ServiceName> -BinaryPathName "<PathToExecutable>" -StartupType Automatic

Registry Keys

Registry Query:

reg query
get-itemproperty

Persistence Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Programs in this key run automatically when the current user logs in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Programs listed here run automatically for all users at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Commands or programs here run once at the next user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Commands or programs in this key run once at the next system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed here are executed at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed here are executed at user login.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Entries such as 'Userinit' and 'Shell' can be modified to run custom scripts or applications during the logon process.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

Specifies programs to load at user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load

Specifies programs to load at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

Specifies additional programs to run at user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run

Specifies additional programs to run at system startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Hooks that can be used to execute code when certain actions occur.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Services listed here are started by the Service Control Manager. Malware can create or modify existing services.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Customization of user shell folders can be used for persistence.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Customization of shell folders at a system-wide level.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

Components listed here are executed when a user logs in for the first time and when creating new user accounts.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

On 64-bit systems, this key is used to run 32-bit applications at system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes*\ShellEx\ContextMenuHandlers

Context menu handlers can be used to execute code when certain file types are right-clicked.

HKEY_CURRENT_USER\Software\Classes*\ShellEx\ContextMenuHandlers

Context menu handlers for specific file types under the current user profile.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKU<SID>\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\BCD00000000

HKLM\SAM\SAMs

Startup Folders

Individual User Startup:

C:\Users<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

All Users Statup:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Are these locations the same across all Windows Versions? Need to research.

Sysinternals

autorunsc -accepteula

Start

autorunsc -a

(all) # ALWAYS CHECK BOOT EXECUTE

autorunsc -s

Services

autorunsc -t

Tasks

autorunsc -b

Boot execute

autorunsc -d

App init DLLs

PreviousEnumerateNextSecurity

Last updated

Was this helpful?