Forensics on Registry Run keys in Windows.
MDE Registry Run Keys Forensics
Query
let CompromisedDevices = dynamic (["workstation01", "server1"]);
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where RegistryKey endswith @'\Software\Microsoft\Windows\CurrentVersion\Run' or RegistryKey endswith @'\Microsoft\Windows\CurrentVersion\RunOnce'
| project-reorder Timestamp, ActionType, DeviceId, DeviceName, RegistryKey, PreviousRegistryValueData, InitiatingProcessCommandLineAbout this query
Forensics on Registry Run keys in Windows.
Query Information
Description
Registry Run keys can be used to establish persistence on a device.
The detection covers the following registry key paths:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Defender XDR
Sentinel
let CompromisedDevices = dynamic (["workstation01", "server1"]);
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceRegistryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where RegistryKey endswith @'\Software\Microsoft\Windows\CurrentVersion\Run' or RegistryKey endswith @'\Microsoft\Windows\CurrentVersion\RunOnce'
| project-reorder TimeGenerated, ActionType, DeviceId, DeviceName, RegistryKey, PreviousRegistryValueData, InitiatingProcessCommandLine
Explanation
This query is designed to help identify potential persistence mechanisms on Windows devices by examining specific registry keys that are commonly used to run programs automatically when the system starts. Here's a simple breakdown of what the query does:
-
Purpose: The query is used for forensic analysis to detect if any suspicious or unauthorized programs are set to run automatically on compromised devices by examining certain registry keys.
-
Registry Keys Monitored: It looks at the following registry paths, which are known for being used to establish persistence:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunHKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
-
Scope: The query focuses on devices that are suspected to be compromised, specifically "workstation01" and "server1".
-
Time Frame: It examines registry events that occurred within the last 7 days, but this time frame can be adjusted.
-
Output: The query retrieves and organizes data about registry events, including:
- The time the event was generated
- The type of action performed
- The device ID and name
- The specific registry key involved
- The previous value of the registry key
- The command line of the process that initiated the change
This query is useful for security analysts to track and investigate potential persistence mechanisms on compromised devices.
Details

Bert-Jan Pals
Released: September 30, 2025
Tables
Keywords
Operators