BIPI
BIPI

Windows Persistence Techniques: Registry, WMI, COM, Scheduled Tasks

Cybersecurity

A field guide to durable Windows persistence: classic Run keys, WMI event subscriptions, COM hijacks, scheduled task abuse, and the detection signals each one leaves behind.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 20, 2025 · 11 min read

#windows#persistence#wmi#com-hijack#scheduled-tasks

Persistence is a tradeoff

Every persistence technique is a bet: more durability usually means more noise. The mature operator picks one loud channel for fallback and one quiet channel for primary, then layers a third for break-glass.

Registry Run keys (loud but reliable)

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • RunOnce variants and IFEO Debugger value for hijacks
  • Winlogon Userinit and Shell values for boot-time execution

Scheduled tasks

Tasks under Microsoft\Windows\ blend in. The SD trick (set security descriptor to deny read) hides them from schtasks but Autoruns still catches them.

WMI event subscriptions (quiet, durable)

A WMI permanent event consumer fires on a chosen filter (process start, user logon, time interval). It lives in the CIM repository, survives reboot, and runs as SYSTEM. APT29 made this famous.

COM hijacking

  • HKCU\Software\Classes\CLSID\<GUID>\InprocServer32 takes precedence over HKLM
  • Identify CLSIDs loaded by common processes (explorer.exe, taskhostw.exe)
  • Plant DLL with matching CLSID, gets loaded on next host process start
  • Lives in user context, survives reboot, no scheduled task footprint

Service-based persistence

sc create with SYSTEM start type and a benign-looking name (TelemetrySvc, WinHttpSvc) still works on hardened hosts. Event 7045 catches it instantly if the SOC reads it. Pair with service binary stomping to evade signature.

Detection by technique

  • Run keys: Sysmon Event 13 with TargetObject containing Run\
  • Scheduled tasks: Event 4698 (task created), 4702 (task updated)
  • WMI subs: Sysmon Event 19/20/21 (WMI filter/consumer/binding)
  • COM hijack: Sysmon Event 7 (image loaded) with unusual DLLs from HKCU
  • Service: Event 7045, 4697; Sysmon Event 1 with services.exe parent

Hunting tools

  • Autoruns (Sysinternals) with VirusTotal integration
  • Sysmon with SwiftOnSecurity or Olaf Hartong config
  • WMI-Persistence-Detector by FireEye/Mandiant
  • Velociraptor artifacts for COM hijacks and WMI subs

Hardening

  • AppLocker or WDAC with publisher allowlist breaks unsigned drops
  • ASR rule "Block Win32 API calls from Office macros" cuts a common chain
  • Restrict WMI namespace permissions on root\subscription
  • Enable PowerShell Script Block Logging (Event 4104) and ship to SIEM
15+
Persistence techniques in MITRE ATT&CK T1547 alone
days
Median dwell time when only Run keys are used
months
Median dwell time with WMI plus COM
Persistence is layered. If your only foothold is a Run key, you do not have persistence, you have a coin flip.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.