Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

“Registry Run Keys: The Secret Sauce of Persistent Malware!”

Paritosh
InfoSec Write-ups
Published in
3 min readMay 4, 2023

Welcome to the wonderful world of registry run keys, the magical ingredient that makes persistent malware possible! You might think that these boring registry entries are just harmless bits of information, but in the hands of a crafty hacker, they can turn your computer into a zombie slave that does their bidding.

So what are registry run keys, you ask?

Well, they’re just a little something-something that tells your computer to automatically run a program or process every time it boots up. Nothing to worry about, right? WRONG! Because if a malicious program manages to sneak its way into your registry run keys, it can launch itself every time you start your computer, without you even realizing it.

Photo by Ilya Pavlov on Unsplash

But wait, it gets better!

Not only can malware use registry run keys to maintain persistence, but it can also disguise itself as a legitimate program by using the same keys that other programs use. So when you see a program you recognize in your registry run keys, you might think it’s harmless, when in fact it’s a sneaky little malware beast in disguise.

There are several registry run keys that are commonly used for this purpose, including:

Some paths in the Windows Registry, which is a hierarchical database that stores configuration settings and options for the Windows operating system and its installed applications.

A brief explanation of each path:

1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-> Contains a list of programs that are set to automatically start when a particular user logs into their account on the computer.

2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
-> Contains a list of programs that are set to run only once when a particular user logs into their account on the computer.

3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-> Contains a list of programs that are set to automatically start when any user logs into the computer.

4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
-> Contains a list of programs that are set to run only once when any user logs into the computer.

5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
-> Similar to the above but for more complex…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app
Or, continue in mobile web

Already have an account? Sign in

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 16 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Paritosh
Paritosh
Follow

Written by Paritosh

1.7K Followers
48 Following

CISSP | Sharing what I am learning to get it in a single place. | Linkedin -> https://www.linkedin.com/in/paritosh-bhatt/

Follow

No responses yet

Write a response

What are your thoughts?

More from Paritosh and InfoSec Write-ups

See all from Paritosh
See all from InfoSec Write-ups

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech