EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4657Event ID 4688Event ID 4624T1547.001high

Registry Run Key Persistence — Autostart via HKCU/HKLM Run Keys

Registry Run keys are one of the oldest and most common Windows persistence mechanisms. Entries written to HKCU\Software\Microsoft\Windows\CurrentVersion\Run or the HKLM equivalent execute automatically at every user logon — with no UAC prompt for HKCU keys, and with SYSTEM-level trust for HKLM keys. Event ID 4657 (registry value modified) is the detection signal.

Severity

High

ATT&CK Tactic

Persistence

Common attacker usage

Writing a malicious binary path to HKCU\Run — no admin rights required; executes at next user logon · Writing to HKLM\Run — requires admin/SYSTEM rights but executes for all users at every logon · Using RunOnce keys to execute a payload once and self-delete the entry · Pointing Run key values to LOLBins (mshta, regsvr32, wscript) with encoded payloads to blend in · Using HKCU\Run for user-level persistence that survives across reboots and evades system-wide monitoring

Investigate immediately if

  • !Event 4657 shows a new or modified value under any Run/RunOnce key path — especially outside business hours or from an unexpected process
  • !The value data points to a file in %TEMP%, %APPDATA%, a user-writable folder, or a path not matching known installed software
  • !Event 4688 shows the same binary or script executing shortly after a 4624 logon — consistent with a Run key firing at logon
  • !A LOLBin (mshta.exe, wscript.exe, regsvr32.exe, powershell.exe) appears in a Run key value

MITRE ATT&CK

Technique

T1547.001 · Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Tactic

Persistence

View on attack.mitre.org →

Security Relevance

Run keys persist across reboots and require no scheduled task, service, or COM registration — making them lightweight and hard to notice without dedicated registry monitoring. HKCU Run keys are especially dangerous because any standard user can write them without triggering UAC, and they execute in the user's security context at every logon. Malware families from commodity loaders to APT implants rely on Run keys as a first-stage persistence mechanism precisely because they are universally available and blend in with legitimate software.

Indicators of Malicious Use

  • Event 4657: Object Name contains \SOFTWARE\Microsoft\Windows\CurrentVersion\Run or \RunOnce — any write to these paths from a non-installer process is suspicious
  • Event 4657: New Value Data pointing to %TEMP%, %APPDATA%\Roaming, or an unusual path — legitimate software installs to Program Files, not temp directories
  • Event 4688: Process spawned by userinit.exe or explorer.exe from a non-standard path — these are the parent processes for Run key payloads at logon
  • Event 4688: LOLBins (mshta.exe, wscript.exe, cscript.exe, regsvr32.exe) with command-line arguments that include encoded or obfuscated content
  • Reg.exe or PowerShell New-ItemProperty / Set-ItemProperty commands targeting Run key paths in Event 4688 or 4104

Example Log Entry

Event ID: 4657 — A registry value was modified

Subject:
  Security ID:      CORP\jsmith
  Account Name:     jsmith
  Logon ID:         0x4A3F22

Object:
  Object Name:      \REGISTRY\USER\S-1-5-21-...\SOFTWARE\Microsoft\
                    Windows\CurrentVersion\Run
  Object Value Name: WindowsUpdate              ← misleading legitimate-looking name
  Handle ID:        0x4a8
  Operation Type:   %%1904 (New registry value created)

Process Information:
  Process Name:     C:\Users\jsmith\AppData\Roaming\svchost.exe
                    ← not the real svchost; real svchost lives in System32

Change Information:
  Old Value Type:   (none)
  New Value Type:   %%1873 (REG_SZ)
  New Value:        C:\Users\jsmith\AppData\Roaming\svchost.exe /q /persist

Investigation Steps

  1. 1.Identify the Run key path and value: check Object Name and Object Value Name in Event 4657. Look up the value name — attackers commonly use names that mimic legitimate software (WindowsUpdate, AdobeUpdater, OneDrive).
  2. 2.Examine the value data (New Value): what binary or script does it point to? Run Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' to see all current HKCU Run entries. Compare against known-good software installed on the system.
  3. 3.Investigate the writing process: check Process Name in Event 4657. A legitimate installer writes Run keys during setup; a svchost.exe in AppData or a PowerShell process writing to Run outside of an install window is a strong IOC.
  4. 4.Look for the payload execution: search Event 4688 for processes spawned by userinit.exe or explorer.exe (the Run key execution chain at logon). Check the process path against the Run key value data.
  5. 5.Check all Run key locations — attackers may use multiple: HKCU\Run, HKLM\Run, HKCU\RunOnce, HKLM\RunOnce, and the Wow6432Node equivalents for 32-bit processes on 64-bit systems.
  6. 6.Correlate with recent logon events: if a malicious Run key fires, Event 4624 for the affected user followed immediately by 4688 for the suspicious binary is a reliable chain.
  7. 7.Check for lateral scope: if the key was written under HKLM (not HKCU), the payload executes for every user on the system — assess all accounts that have logged in since the key was written.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Common False Positives

  • Legitimate software installers write Run keys during setup — antivirus, cloud backup agents, browser updaters, and communication tools commonly use HKCU\Run for per-user autostart. Verify the binary path is under Program Files or a known vendor directory.
  • Software update agents running in the background may modify Run key values when updating themselves — correlate with known patch/update windows.
  • IT management tools (RMM agents, endpoint management) may write or modify Run keys as part of agent deployment — coordinate with IT to establish a baseline.

Remediation

  • Remove the malicious Run key entry: Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'MaliciousEntryName'
  • Kill the running payload process before removing the key — if the binary is already executing, the key removal alone will not stop the current session.
  • Delete or quarantine the binary pointed to by the Run key value — removing the key without removing the binary leaves the payload on disk.
  • Enable Object Access auditing for registry keys on sensitive paths if not already configured — Event 4657 requires 'Audit Registry' to be enabled in Group Policy (Advanced Audit Policy → Object Access → Audit Registry).
  • Consider deploying AppLocker or WDAC policies that block execution from user-writable paths (AppData, Temp) — this prevents Run key payloads in those locations from executing even if the key is written.
  • Audit all Run key locations after an incident: HKCU\Run, HKLM\Run, RunOnce variants, and Wow6432Node paths. Use Autoruns (Sysinternals) for a complete inventory.

Related Event IDs

4657Registry value modified — the primary Run key write detection event
4688Process creation — Run key payload executing at logon (parent: userinit.exe or explorer.exe)
4624Successful logon — Run keys fire at logon; correlate with 4688 immediately following
4104PowerShell script block — Set-ItemProperty / New-ItemProperty targeting Run key paths

Related Detection Guides

Scheduled Task AbuseSuspicious Service InstallationWMI PersistenceAccount-Based PersistenceLiving off the Land (LOLBins)PowerShell AbusePrivilege Escalation

Frequently Asked Questions

What is the difference between HKCU Run and HKLM Run persistence?
HKCU (HKEY_CURRENT_USER) Run keys require no administrative privileges — any standard user can write them, and they execute in that user's context at their next logon. HKLM (HKEY_LOCAL_MACHINE) Run keys require admin or SYSTEM rights to write but execute for every user who logs in to the system. Attackers without admin rights use HKCU; once they escalate privileges they may switch to HKLM for broader persistence.
How do I audit all Run key entries on a Windows system?
The fastest method is Sysinternals Autoruns — it shows all autostart locations including Run keys, scheduled tasks, services, and more, with VirusTotal integration for flagging unsigned or malicious entries. From PowerShell: Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' and Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'. Check the Wow6432Node equivalents for 32-bit applications on 64-bit systems.
Does EventPeeker detect Run key modifications?
Yes — EventPeeker's detection engine monitors Event ID 4657 (registry value modified) for writes to Run and RunOnce key paths. This requires that registry object access auditing is enabled on the monitored system via Group Policy (Advanced Audit Policy → Object Access → Audit Registry). Without this policy, 4657 events will not appear in the Security log.

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →