Run Keys

The registry hive NTUSER.DAT is created for each users in a Computer system. It contains the Run key registry used by malware to maintain persistence. In this example, there are 19 users in the system , but I have only extracted the NTUSER.DAT for the user Zarma.s using Autopsy(seen below) and I analysed it in Registry explorer.

NTUSER.DAT for Zarma.s user, seen in Autopsy

The Run and Runonce keys are located in


NTUSER.DAT: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

In this case ,OneDrive and Windows Defender will start when the computer is Switched on as seen in the pictures below.

Run Keys seen in Registry Explorer, added on 2021-11-20 14:41:51

RunOnce keys seen in Registry Explorer, added on2012-11-20 15:37:39