Windows Registry Locations for Persistence

Windows Registry Locations for Persistence

TechniqueRegistry LocationNotes
Accessibility FeaturesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Execution/PersistenceHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
Pass The HashHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
Credential AccessHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
PersistenceHKCU\Control Panel\Desktop\Screensaver
PersistenceHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\Time providers
Persistence(Auto-Runs) Classification
(Auto-Logon) Classification
(Office Addiin) Classification
(IE plugin) Classification
(Explore SideBar) Classification
(Exploer Shell Startup) Classification
(Known DLLs) Classification
(Boot Execute) Classification
(USB Storage) Classification
(Application Compat) Classification
(Run Keys) Classification