Run keys

Entering a file path in the registry data under these registry keys will trigger execution when Windows starts, as can be seen in the following registry path for the Windows 64-bit versions

  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNRunServicesOnce
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
  • HKEY_LOCAL_MACHINESOFTWAREWow6432NodeWindowsCurrentVersionRun

Programs that are listed under these registry keys will trigger execution when the current user logs in, as can be seen in the following registry path:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnceEx
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsRun

The keys names containing Once will have the listed programs that run only once. The malware may still persist if it keeps on placing its own file path under the RunOnce, RunOnceEx or RunServicesOnce keys.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.234.62