`runkeys`¶

$ target-query <path/to/target> -f runkeys

Details¶
Module	`dissect.target.plugins.os.windows.regf.runkeys.RunKeysPlugin`
Output	`records`

Module documentation

Plugin that iterates various Runkey locations.

Function documentation

Iterate various run key locations. See source for all locations.

Run keys (Run and RunOnce) are registry keys that make a program run when a user logs on. a Run key runs every time the user logs on and the RunOnce key makes the program run once and deletes the key after. Often leveraged as a persistence mechanism.

References:

https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys

Yields RunKeyRecords with fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The registry key last modified timestamp.
name (string): The run key name.
command (command): The run key command.
key (string): The source key for this run key.

runkeys¶

`runkeys`¶