Malware Persistence Techniques – Hacker’s Pandora Box

Malware Persistence Techniques

Hi readers! The agenda of this article is to give a brief overview of the registry keys and the ways malware authors use in order to achieve persistence so as to evade detection by traditional security technology. Malware often uses the registry for persistence or configuration data. And as soon as the malware gets inside the victim's machine it tries to modify several registry keys to achieve persistence. The malware adds entries into the registry that will allow it to run automatically when the computer boots up or a user logs in.

But before we deep dive into the malware persistence techniques lets just first focus on the registry as you will need to know a few important registry terms in order to have a better understanding of the malware persistence techniques.

  • Root Key – The windows registry is divided into five top-level sections called the root keys. Each of these root keys serves a particular purpose.

  • Subkey – A subkey is like a subfolder within a folder.

  • Key – A key is a folder in the registry that can contain additional folders or values.

  • Value entry – A value entry is an ordered pair with a name and value.

  • Value or data – Data stored in a registry key.

So, the root keys which I mentioned above is actually split into the following five keys:

  • HKEY_LOCAL_MACHINE (HKLM) – Stores settings that are global to the local machine.

  • HKEY_CURRENT_USER (HKCU) – Stores settings to the specific user

  • HKEY_CLASSES_ROOT (HKCR) – Contains file extensions associated information.

  • HKEY_CURRENT_CONFIG – Stores settings about the current hardware configuration, especially differences between the current and the standard configuration

  • HKEY_USERS – Defines settings for the default user, new users, and current users.

Out of these five keys, the two most commonly used keys are HKLM and HKCU. HKLM being the root key, which stores the subkeys of SOFTWARE, Microsoft, Windows, CurrentVersion and Run. As you now have already got the idea that malware persists mainly with the help of registry keys and writing entries to the Run subkey is a well-known way to set up the software to run automatically, the next time computer boots. While it's not a very stealthy technique, it is often used by malware to launch itself automatically.

Some Common Ways Malware Authors Use In Order to Achieve Persistence:

Run/RunOnce Keys

Malware achieves persistence by modifying the registry keys in one of AutoStart Extention Points (ASEPs). Below are some of the registry keys that malware mostly achieves its persistence by editing the registry keys at User Level:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

If the malware is able to gain admin privileges, it will infect some of the keys at admin/system-level privileges:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run


Apart from the above registry keys that malware exploits, malware sometimes also exploits other keys that are used to start background services like remote registry service. The malware registers itself as a service and persists itself in the registry keys. These keys are located at:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services\Once

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services

Startup Keys

Malware authors place their malicious files under startup directory and create a shortcut to the location pointed by the subkey Startup which will launch the service automatically on login/reboot. Startup keys are located at both Local Machine and Current User:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

BootExecute Key

From the name itself, it has to do something with the system boot. When the system boots up it loads several processes in order for the smooth execution of the boot process. One such process is the Session Manager Subsystem (smss.exe), a component of the Microsoft Windows family of Operating systems, which is responsible for starting the user session. This is the first user-mode process selected by the kernel and since, smss.exe launches before windows subsystem loads, it calls configuration subsystem to load the hive present at:

  • HKLM\SYSTEM\CurrentControlSet\Control\hivelist

Also, smss.exe will launch anything present in the BootExecute key at

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager

It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot.