Skip to content

Name the common ways malware persists on a Windows host across reboots, and how you would hunt for them.

Short answer

Persistence is how malware survives reboots and logoffs. The staples on Windows are registry Run/RunOnce keys (HKLM and HKCU), scheduled tasks, and Windows services, plus startup folders, WMI event subscriptions, and DLL hijacks. You hunt them with autoruns/Sysinternals, Sysmon, and event logs — looking for unsigned binaries, odd paths like %AppData%, and entries created right after initial compromise.

Persistence is the attacker's answer to "what happens when the machine reboots?" If the implant cannot survive a restart or logoff, the intrusion dies. Interviewers ask this to see whether you know where attackers hide and, just as important, where you would look during a hunt or IR.

The staple mechanisms

  • Registry Run keys...\CurrentVersion\Run and RunOnce under both HKLM (runs for every user, needs admin) and HKCU (runs at that user's logon). Simple, common, and easy to inspect.
  • Scheduled tasks — created via schtasks or the Task Scheduler; can run at logon, on a timer, or on an event, often under SYSTEM. Stored under C:\Windows\System32\Tasks.
  • Windows services — registered under ...\Services; auto-start services launch at boot with high privilege, making them attractive for durable footholds.

Beyond these, watch the Startup folder, WMI permanent event subscriptions (fileless and stealthy), DLL search-order hijacking, and accessibility/IFEO "image hijacks." MITRE ATT&CK catalogs dozens under the Persistence tactic.

How to hunt

Baseline what should auto-start, then look for deviations. Sysinternals Autoruns enumerates virtually every autostart location and flags unsigned entries. Sysmon logs process creation, registry modifications, and service installs; correlate with Security/System logs (e.g., service-install events). Red flags: binaries running from %AppData%, %Temp%, or C:\Users\Public, random file names, unsigned executables, and entries created in the same window as the initial compromise.

Why this matters

A solid answer lists the big three (run keys, scheduled tasks, services), notes the HKLM vs HKCU privilege/scope difference, mentions stealthier options like WMI, and explains the hunting approach. That demonstrates you can both find a foothold and reason about how an attacker thinks about durability.

Likely follow-ups

  • What is the difference in scope between an HKLM and an HKCU run key?
  • Why are WMI event subscriptions a stealthier persistence method?
  • Which Sysmon event IDs help detect new services or scheduled tasks?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.