What are Run Keys in the Registry?

Many programs and tools effect Windows run keys and services to automatically startup or load whenever Windows OS is booted. While this service can be a necessary convenience, it too can be problematic when accessed by a malicious program.

Run keys and Services are part of the registry, a hierarchical database housing settings that run the Windows operating system, its services and Windows-supported applications. There are seven Run Keys in total and five Service types.

List of Run keys that are in the Microsoft Windows Registry:

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices
  6. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce
  7. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup

Based on the list mentioned above, run keys #1 through #4 are processed once doing log in or at boot stage, #5 and #6 are processed or run in the background, and run key #7 is solely for Setup or when the Windows Add/Remove Programs Wizard is being used. By default, Run keys are ignored in Safe Mode, although there are ways to get around this setting.

So what is the difference between Run keys that startup or load programs and Services at boot and the Startup Folder used to also automatically run applications? The operating system has a specific order in which it seeks and automatically run programs; the Windows Registry takes priority over the Startup Folder. The Windows Registry not only houses services that startup applications, but too houses services critical to running the operating system. Therefore, one should use the default startup option when installation background programs, i.e. Internet security tools and antivirus, so scans can be automatic. This way you stay clear of the Windows Registry and avoid missteps in editing that could cripple the operating system and leave you staring at the blue screen of death (BSOD).

Many malicious programs misuse Run Keys to loop their malicious programs so they run each and every time Windows is started. A malicious Run key is usually what is behind the re-emergence of a malicious attack at each new boot after either manual removal attempt or use of a subpar antivirus or anti-spyware tool. Complicating matters is when the malicious program stores and automatically runs its malicious executable from memory. If a malware removal tool cannot find the malicious program and supporting components, it simply cannot end your nightmare, i.e. remove the offender. Because rootkits help mask and bury files in the Windows Registry or white listed area, it is best to use a professional anti-malware solution and suite to disinfect your system, restore corrupted files and remove malicious Run Key and Services in the Windows Registry.