{ "id": "9ba4889e-63f7-407c-a3f2-7255dcd03545", "created_at": "2026-04-06T00:12:10.003224Z", "updated_at": "2026-04-10T03:21:06.887055Z", "deleted_at": null, "sha1_hash": "703fd5b5c3c9dd66a10b928d0c807481df6cb02f", "title": "Persistence using RunOnceEx – Hidden from Autoruns.exe", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 579626, "plain_text": "Persistence using RunOnceEx – Hidden from Autoruns.exe\r\nPublished: 2018-03-21 · Archived: 2026-04-05 14:23:16 UTC\r\nTL;DR\r\n– Found a technique to execute DLL files without being detected by autoruns.exe at logon.\r\n– Requires administrator rights and does not belong in userland.\r\n– Run this to Exploit:\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\message\r\nRunOnceEx\r\nI finally had some time to do some unstructured research. With unstructured research I mean going after things\r\nyou stumble upon and explore them. In this case I was looking into runonce.exe that lies in the system32 folder in\r\nWindows. I started out by running the command with /? and such, but did not give any results. I ended up\r\nGoogling the file and stumbled upon this interesting article from Microsoft:\r\nhttps://support.microsoft.com/en-us/help/310593/description-of-the-runonceex-registry-key\r\nThe thing that got my attention at first was these sentences here:\r\nPerformance: The majority of the commands contained in the Run and RunOnce registry keys create\r\nseparate processes, which is inefficient. The RunOnceEx registry key does not create a separate process.\r\nThe RunOnceEx registry key also supports a dependency list of DLLs that remain loaded while either\r\nall the sections or some of the sections are being processed.\r\nTo me this meant that if I added these keys, the processes would probably execute directly in the parent process. It\r\nalso meant that I could add a list of dependency DLL files that would be executed. That was very interesting and\r\ngot me really curious.\r\nI then started to play around with the necessary registry keys. I first started in the HKEY_CURRENT_USER hive,\r\nbut that did not provide any results at all. It turned out that after some Googling that the RunOnceEx only executes\r\nfor administrators. This is explained in this KB from Microsoft:\r\nhttps://support.microsoft.com/en-us/help/2021405/standard-user-runonce-and-runonceex-are-not-being-executed\r\nIt states that HKEY_CURRENT_USER RunOnceEx should execute for local admins, but this was not the case\r\nwhen I did the testing.\r\nHowever I did get execution using the HKEY_LOCAL_MACHINE hive.\r\nThe documentation that I linked to at the top of this post also includes some examples.\r\nHere is a screenshot of the most interesting part:\r\nhttps://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\r\nPage 1 of 4\n\nAs you can see, it is possible to either specify an executable by using ||exename.exe or dll file by using\r\nDLLFilename|FunctionName|CommandLineArguements.\r\nRunOnceEx with ||Executable.exe\r\nIn order to get execution of for example notepad.exe you must add the following registry keys (save them to .reg\r\nfile and import them):\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx]\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001]\r\n\"Line1\"=\"||c:\\windows\\system32\\notepad.exe\"\r\nAfter adding these keys notepad.exe will launch at next logon. Or you can run this command to trigger the\r\nexecution:\r\nrunonce /Explorer\r\nI found that /Explorer parameter by running strings.exe against the runonce.exe binary.\r\nRunOnceEx with DLLFile|Function\r\nSince I lacked creativity I just tried to open a URL using url.dll,OpenURL function (discovered by @bohops). In\r\norder to do that you must specify the registry keys like this:\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx]\r\nhttps://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\r\nPage 2 of 4\n\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001]\r\n\"Line1\"=\"c:\\windows\\system32\\url.dll|OpenURL|\\\"http://www.google.com\\\"\"\r\nA thing I noticed when I was playing with this, was that the dll file must be registered. So it seems that you cannot\r\njust plant a dll file and execute it using this method.\r\nThe big problem with these approaches (from an offensive perspective) is that it will be pretty visible in the\r\nautoruns.exe application. In the screenshot below I am using a non signed binary just to show an example(Line1):\r\nExecuting with Depend\r\nAfter I was done “playing” with this I decided that I would look into the part about dependent DLL files. And this\r\nis where the research became very interesting.\r\nIn the documentation (screenshot below) it gives an example using “depend”, but it is unclear and I had to try and\r\nfail some times before I got it right.\r\nJust by adding this registry key, the dll file you specify will execute on next logon.\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx]\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001]\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend]\r\n\"1\"=\"c:\\\\temp\\\\MessageBox64.dll\"\r\nhttps://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\r\nPage 3 of 4\n\nOr you can for example just execute this command:\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\message\r\nThe cool thing about this method is that it hides completely from autoruns.exe. Below is a video showing this\r\ntechnique.\r\nI guess that this technique has already been used by other threat actors already. This is just another forgotten thing\r\nin Windows.\r\nI know that this technique requires local administrator access, but still I find this interesting enough to blog about.\r\nHope you liked it.\r\n#Update – March 22 2018#\r\nMark Russinovich was thankful for the discovery and stated that this will be added in the next version of\r\nAutoruns.\r\nhttps://twitter.com/markrussinovich/status/976856490941337600\r\n#Update – December 16 2019#\r\nSince this blog post is still linked to, just want to point out that this discover were added into autoruns 13.90 and\r\nnewer:\r\nhttps://blogs.technet.microsoft.com/sysinternals/2018/07/05/sysmon-v8-0-autoruns-v13-90/\r\nSource: https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\r\nhttps://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/" ], "report_names": [ "persistence-using-runonceex-hidden-from-autoruns-exe" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434330, "ts_updated_at": 1775791266, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/703fd5b5c3c9dd66a10b928d0c807481df6cb02f.pdf", "text": "https://archive.orkl.eu/703fd5b5c3c9dd66a10b928d0c807481df6cb02f.txt", "img": "https://archive.orkl.eu/703fd5b5c3c9dd66a10b928d0c807481df6cb02f.jpg" } }