Do you know the RunOnce key in the registry? If you do not know we will talk about it below, after we see what it does.
Various programs and services can add some command there, which will run once on their next startup Windows and then it will be deleted.
However, Windows supports several options to force the key not to be deleted, which is wrong. Especially if you advertise it.
RunOnce can (as mentioned above) be found in the registry by following the (HKLM) and (HKCU) paths.
- HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce
These keys are used by various applications placing entries to enable for example certain functions to start on the first boot after the installation.
But any malware could do the same. He could just pass his orders there. This would not be a big problem if RunOnce ran a command at startup and then deleted it automatically.
But Microsoft seems to have published by 2018, a website with more information about the Run and RunOnce keys. By default, the RunOnce key value is deleted before the command line is executed.
But Microsoft says:
You can add it name of a RunOnce value with an exclamation mark (!) to defer deleting the value until after the command has run. Without the exclamation mark, the associated program will not run the next time your computer starts if the RunOnce function fails.
There is even another option that the malicious will love users. If you add an asterisk (*) before the name of a value it will run the command in RunOnce instead of ignoring it in safe mode.
The icing on the cake is Microsoft warning that a program running on these keys should not write its own key when it runs, as this will affect other programs that have RunOnce entries.
It states that applications should use the RunOnce key only temporarily, such as to complete the application setup. An application should not constantly create entries in RunOnce as this will affect the installation of Windows.