View on GitHub

The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
Expect more. I am doing my best to add new entries each day.

How it works. And how to contribute.

👨‍💼 HKCU Run and RunOnce registry keys

👨‍💼 ⚙ Task Scheduler

Image File Execution Options key

Windows Services


WER Debugger *

Natural Language Development Platform 6 DLLs *

GPO Client-side Extension

Filter Handlers for Windows Search

Disk Cleanup Handler

👨‍💼 .chm helper DLL *

hhctrl.ocx *

AMSI Providers


Password Filter

Credential Manager DLL

Authentication Packages

Code Signing DLL

👨‍💼 HKCU cmd.exe AutoRun

LSA Extension

Winlogon Notification Package

Print Monitor

👨‍💼 HKCU Load


Windows Platform Binary Table

Explorer tools *

👨‍💼 Windows Terminal Profile

👨‍💼 Startup Folder

👨‍💼 User Init Mpr Logon Script *

Autodial DLL *

.NET Startup Hooks

👨‍💼 PowerShell Profiles

👨‍💼 TS Initial Program

RDP WDS Startup Programs


Recycle Bin COM Extension Handler *


Monitoring Silent Process Exit

Desired State Configuration

👨‍💼 Screen Saver

Netsh extension DLL

Boot Verification Program

👨‍💼 File Extension Hijacking

👨‍💼 Keyboard Shortcut *

Want more? Check the list tomorrow. :)

* Based on a research made by @Hexacorn - one of the best persistence hunters.

⚙ It is enough to turn computer on to make the code run.
👨‍💼 End-user can do it.