Skip main navigation

Windows registry

Article detailing the mechanisms of malware persistence via the Windows registry.
Windows registry

The Windows registry is essentially a database that contains the computer hardware, software and user settings. It may also contain supporting information depending on the installed product.

The registry contains five hives two of which are root hives. The root hives are HKLM (applies to all users) and HKCU (only applies to individual users). All hives contain keys, subkeys and values.

The local machine and user hives contain “Run Keys”. The keys are named Run and RunOnce and relate to executing a program either when the computer boots up or when a particular user logs in. The locations of the run keys are:



An example of “Run Keys” and entries are detailed below:

Snippet of Windows registry depicting 'Run' key and values.

Additional information…

Microsoft describes the registry as “A central hierarchical database used in Microsoft Windows 98, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users, applications and hardware devices.”

So they haven’t updated this article in a while then? Click here to go to the Microsoft article in question.

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now