Registry Run Keys / Startup Folder
View on attack.mitre.org →10 syscalls implement this technique
- NtCreateKey
Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.
- NtDeleteValueKey
Removes a single named value from an open registry key, leaving the key itself intact.
- NtSetValueKey
Writes a named value into an open registry key — the workhorse for Run-key and IFEO persistence.
- NtEnumerateKey
Enumerates subkeys of a registry key — used to walk AutoRun, IFEO and Services for persistence discovery.
- NtRenameKey
Renames an existing registry key in place — no Win32 wrapper, callable only via the NT API.
- NtRestoreKey
Overwrites a registry key's contents from a hive file — replaces subtrees in bulk.
- NtFlushKey
Forces all pending changes to a registry key to be written to its backing hive on disk.
- NtNotifyChangeKey
Registers an asynchronous notification for changes to a registry key and (optionally) its subtree.
- NtNotifyChangeMultipleKeys
Registers a single notification request that fires when any of several registry keys changes.
- NtCreateFile
Creates or opens a file, directory, device, or named pipe — every dropper's first call to disk.