The registry hive NTUSER.DAT is created for each users in a Computer system. It contains the Run key registry used by malware to maintain persistence. In this example, there are 19 users in the system , but I have only extracted the NTUSER.DAT for the user Zarma.s using Autopsy(seen below) and I analysed it in Registry explorer.

The Run and Runonce keys are located in
NTUSER.DAT:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
In this case ,OneDrive and Windows Defender will start when the computer is Switched on as seen in the pictures below.

