Do you know the RunOnce key in the registry? If you do not know we will talk about it below, after we see what it does.
Various programs and services can add a command there, which will run once on the next startup of Windows and then be deleted.
However, Windows supports several options to force the key not to be deleted, which is wrong. Especially if you advertise it.
RunOnce can (as mentioned above) be found in the registry by following the (HKLM) and (HKCU) paths.
- HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce
These keys are used by various applications by placing entries so that they can, for example, start certain operations on the first boot after installation.
But any malware could do the same. He could just pass his orders there. This would not be a big problem if RunOnce ran a command at startup and then deleted it automatically.
But Microsoft seems to have published by 2018, a website with more information about the Run and RunOnce keys. By default, the RunOnce key value is deleted before the command line is executed.
But Microsoft says:
You can add the name of a RunOnce value with an exclamation mark (!) To postpone deleting the value until after the command is executed. Without the exclamation mark, the program will not run the next time your computer starts if RunOnce fails.
There is even one option that malicious users will love. If you add an asterisk (*) before the name of a value it will run the command in RunOnce instead of ignoring it in safe mode.
The icing on the cake is Microsoft warning that a program running on these keys should not write its own key when it runs, as this will affect other programs that have RunOnce entries.
It states that applications should use the RunOnce key only temporarily, such as to complete the application setup. An application should not constantly create entries in RunOnce as this will affect the installation of Windows.