[German]Most Windows insiders have come across the RunOnce key in the registry. Programs and services can enter a command there, which is executed once at the next Windows start and then deleted. However, Windows supports various options to force the key to be evaluated in safe mode or to prevent the entry from being deleted if the command isn't executed.
Advertising
I myself have never actually needed the RunOnce key in the registry, which exists machine-wise (HKLM) and user-wise (HKCU), but knew it existed.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Programs like to put an entry there to be able to start certain things at the first start after installation. But malware could also insert it's commands there.
Similar to the Twitter user above, I was amazed to see that Microsoft has now, since 2018, published a web page with more details about the Run and RunOnce keys (must have published my registry books 20 years too early). By default, the RunOnce key value is cleared before running the command line. But Microsoft writes:
You can prefix the name of a RunOnce value with an exclamation mark (!) to defer deleting the value until after the command is executed. Without the exclamation point, the associated program will not be prompted to run the next time the computer is started if the RunOnce operation fails.
And there is one more option; an asterisk (*) preceding the name of a value causes the RunOnce entry to be executed rather than ignored in safe mode.
Advertising
Attention: Microsoft warns, that a program run from any of these keys should not write to the key during its execution because this will interfere with the execution of other programs registered under the key. Applications should use the RunOnce key only for transient conditions, such as to complete application setup. An application must not continually recreate entries under RunOnce because this will interfere with Windows Setup.
