Wren Howell
May 10, 2025

Looking at Windows Persistence Mechanisms

Posted on May 10, 2025  •  5 minutes  • 857 words

Recently, I had a to write a playbook on common persistent mechanisms. Even though there are lot of resources for this, I did not feel like recreating common persistence mechanisms playbooks on Windows again. This is not a comprehensive list of all the places that persistence can occur on Windows, but it is a start and order will be from most common locations to lesser known places. This page is going to be a work in progress as I add more persistence locations in the future.

What is persistence?

Persistence is “the characteristic of a state that outlives the process that created it.” Breaking down the language in a more straightforward way, persistence is the ability of software, configurations, or data to remain even after the system is restarted or shut down. Persistence is essential for computers to run smoothly, but threat actors use persistence to maintain unauthorized access to a machine.

What are some common Windows Persistence locations?

Some common Windows Persistence locations are listed below:

What is AutoRun and where is it located?

Just a quick reminder, a Windows Registry is a database where Windows stores all the configurations for users, applications, system, and hardware.

Common Registry keys that have Windows malware establish persistence in a single user is:

Common Registry keys that have Windows malware establish persistence in a all users are:

Another common place where persistence occurs is in the Windows Start up folder. Any programs in this folder will execute when a user logs on.

Location for the Start Folder is located below:

What are Scheduled Tasks?

C:\Windows\System32\Tasks\

Scheduled Tasks or Task Scheduler is a built-in Windows utility that allows users to automate the execution of programs, scripts, and various tasks at specific intervals or specific events.

Schtasks.exe is a Windows command-line application for managing scheduled tasks on local or remote computers, such as creating, removing, editing, executing, and terminating tasks.

Some of the reasons that actors install programs in scheduled tasks at certain intervals to execute at particular time, to try to evade detection by blending in with other starts.

What is DLL Hijacking?

DLL Hijacking abuses legit features of the Windows OS. Some examples of DLL Hijacking are DLL Search Order Hijacking, Phantom DLL Hijacking, and DLL Side Loading.

What is Windows Services?

Windows Services are programs that are intended to run in the background without user interaction. Services are required to run when the operating systems first start up as either executables or are DLLs. If the computer was a TV network like ESPN, the Windows Services would be the backroom staff that would make the broadcast go smoothly.

Because there are so many types of Windows Services running, they are implented as DLL’s or executables to save resources. When the operating system is running, it is normal to see several instances of svchost.exe, a generic Windows host process, running in the background.

Another type of Windows service is the Windows service control manager (services.exe) which is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and net.

The Service Registry Keys are located at:

Follow me

My people say I don't bite