{ "id": "e561ee9a-f975-4538-90c8-824fa863538f", "created_at": "2026-04-06T00:11:52.884084Z", "updated_at": "2026-04-10T03:24:29.511481Z", "deleted_at": null, "sha1_hash": "5d578d58b9a847b7843c92d6da4b8405570e6961", "title": "Run and RunOnce Registry Keys - Win32 apps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47708, "plain_text": "Run and RunOnce Registry Keys - Win32 apps\r\nBy drewbatgit\r\nArchived: 2026-04-05 20:40:40 UTC\r\nUse Run or RunOnce registry keys to make a program run when a user logs on. The Run key makes the\r\nprogram run every time the user logs on, while the RunOnce key makes the program run one time, and then the\r\nkey is deleted. These keys can be set for the user or the machine.\r\nThe data value for a key is a command line no longer than 260 characters. Register programs to run by adding\r\nentries of the form description-string=commandline. You can write multiple entries under a key. If more than one\r\nprogram is registered under any particular key, the order in which those programs run is indeterminate.\r\nThe Windows registry includes the following four Run and RunOnce keys:\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nBy default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce\r\nvalue name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the\r\nexclamation point prefix, if the RunOnce operation fails, the associated program will not be asked to run the next\r\ntime you start the computer.\r\nBy default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys\r\ncan be prefixed with an asterisk (*) to force the program to run even in Safe Mode.\r\nA program that is run from any of these keys should not write to the key during its execution because this will\r\ninterfere with the execution of other programs registered under the key. Applications should use the RunOnce key\r\nonly for transient conditions, such as to complete application setup. An application must not continually recreate\r\nentries under RunOnce because this will interfere with Windows Setup.\r\nThe system does not provide guarantees about how promptly the programs in the Run key are run. To improve\r\nthe user experience, the system may choose to delay the execution of programs in the Run key and in the Startup\r\ngroup to a time when they are less likely to interfere with the foreground user experience or with each other.\r\nWindows Registry, RunOnce Registry Key\r\nSource: http://msdn.microsoft.com/en-us/library/aa376977\r\nhttp://msdn.microsoft.com/en-us/library/aa376977\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://msdn.microsoft.com/en-us/library/aa376977" ], "report_names": [ "aa376977" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434312, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d578d58b9a847b7843c92d6da4b8405570e6961.pdf", "text": "https://archive.orkl.eu/5d578d58b9a847b7843c92d6da4b8405570e6961.txt", "img": "https://archive.orkl.eu/5d578d58b9a847b7843c92d6da4b8405570e6961.jpg" } }