An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?
Trap 1: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This key is also a Run key but less commonly used; the question specifies Run/RunOnce typical keys.
Trap 2: HKLM\SYSTEM\CurrentControlSet\Services
This key stores service configuration, not Run/RunOnce.
Trap 3: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File…
This key is used for debugging or hijacking executables, not for Run/RunOnce.
- A
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Why wrong: This key is also a Run key but less commonly used; the question specifies Run/RunOnce typical keys.
- B
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This is a correct Run key for the current user.
- C
HKLM\SYSTEM\CurrentControlSet\Services
Why wrong: This key stores service configuration, not Run/RunOnce.
- D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Why wrong: This key is used for debugging or hijacking executables, not for Run/RunOnce.