The registry hive NTUSER.DAT is created for each users in a Computer system. It contains the Run key registry used by malware to maintain persistence. In this example, there are 19 users in the system , but I have only extracted the NTUSER.DAT for the user Zarma.s using Autopsy(seen below) and I analysed it in Registry explorer.
The Run and Runonce keys are located in
In this case ,OneDrive and Windows Defender will start when the computer is Switched on as seen in the pictures below.