Persistence can be in a lot of places in Windows but ~80% is found in a few registry locations.
Registry definition: The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used.
It is broken down into HKCU and HKLM. HKCU is current user. HKLM is for the local machine.
These are the most common places for persistence. Note: you will need to delete the keys.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
To see what are in the keys you just need to use “Reg query <Registry key location>”
