Welcome back to Windows registry forensics. We are in course 3, the NT user dot dat hive and we're in section 5. In this section, we're going to cover the run and run once Sub keys within the NT user dot dat hive. Quick review at what we have covered so far in course 3, the NT user hive. We covered the recent docs subkey where we looked at the most recently useless and interpreted them. We covered the type URL Sub key and those are URLs that are typed into the internet Explorer address bar. We also covered user assist, which showed us program execution by a user. We also covered recent apps, which also shows program execution by a user, but they dove a little deeper to show us which files were accessed using that particular program. In this section, section 5, the run and run once Sub keys, these are programs that are run at startup without any interaction or very little interaction by the user. When you log onto your computer, these programs will run and these keys become executed when the user logs into the system and unfortunately, these keys can and have been used by bad actors. Malware can be a value within these keys and if it is, it will run at startup without the user doing anything at all. Now the run key is persistent and that may be one of the reasons that malware gets installed there. Even if you shut your computer down and restart it, that run key is going to be triggered and whatever values are under that run key will be executed. The run once key is not persistent, it is not persistent. It should do what exactly what it says run once and then the value should be deleted. If the value name under the run once key is prefixed with an exclamation point, then that value will become persistent and it will act like the run key, it will start every time you log into your computer or a user logs into their computer. By default, these keys are ignored if a computer started in safe mode and again, the run once key is not persistent. The value name under the run once key, even in safe mode, if it is prefixed within asterisk, it will force the program to run regardless of whether it isn't safe mode or not. The tools we're going to need or the items we're going to need for this section, are going to be Registry Explorer and Ivan NT user.dat hive file that we've been using throughout the course and we're going to take a look at our Ivan NT user.dat file again. If it's not loaded, go ahead and load hive. Navigate out to where you have the hive, where you save that hive and click open and the hive will load. Now this is one of those keys that is in the bookmarks, so we can go ahead and use our bookmarks and go to the run key and you can see the path down here, it's software, Microsoft Windows current version run. Software, Microsoft Windows current version run would be the path to the run key. We can see we have two programs here, and these are user specific, this is what Ivan has set to run it startup and you can see that he has OneDrive and Google Drive sick. Now, just so you're aware, there is a run and run once key in the software hive and that file, that key controls system-wide programs that are run at startup, whereas the key in the NT user.dat hive only applies to that particular logged on user. If malware was installed under this key, that malware would inherit the same permissions as that particular user. If there are regular user, it would only have limited permissions. If they were an admin, it might have more permissions but it would inherit the permissions of the user whose NT dat.file it was in. Now, the run once key, what happens here is the program is supposed to run once and then it's supposed to be deleted from the key, the value supposed to be deleted from the key and as we can see, there is nothing in the run once Sub key and that is how it should be. If there were values in the run once Sub key that would be interesting. If you want it to have a value persists in the run once Sub key, what you would need to do is prefix this value name here like OneDrive, we would need to put an exclamation point in front of OneDrive under the run once key and then it would be persistent. If we wanted it to run in safe mode or somebody wanted it to run in safe mode, they would use an asterisks and prefix the key value name with an asterisk and then it would run in safe mode. This would be a location, you would want to check for persistent malware on the system, because if there is malware installed here like I said, it is going to be persistent, it will start every time the user logs on. The user is not going to get any indication that it's running, they're not going to need to do anything to make it run. This gets executed when the user logs onto the system, so there's no warning or pop-up box that's going to come on, this will just happen. That's why it's a good location for malware and the block.
