This post explains how we can run an executable after Windows logon. This could be used to invoke a background process once or every time a user logs in.
The Windows Run Registry Key
The Windows registry contains the following Run keys (they also exist under Wow6432Node but the same principle applies):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunWe can create a string value in this location where the
Name
can be an arbitrary name representing what we want to run, and the
Value
is the command line we want to run.
Entries in the HKLM Run registry key will run every time any user logs in to the machine. Entries in the HKCU Run registry key will run every time a SPECIFIC user logs in to the machine (the user who’s registry hive the value is in!).
As an example, I also wanted to see what context each command line ran in – did it run in a system context when we used the HKLM location and a user context when we used the HKCU location? So I created the following entries, logged off and then logged back in:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"alkane"="cmd.exe /c echo %USERNAME%>>c:\\alkane\\machine.txt"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"alkane"="cmd.exe /c echo %USERNAME%>>c:\\alkane\\user.txt"After I logged in, the relevant text files were created and both user.txt and machine.txt contained the username of the logged in user. And hence, these command lines run in the logged in user context regardless of which registry hive you use. As such, these commands can only be used to run executables that do not require elevated permissions.
The Windows RunOnce Registry Key
Similar to the Run key, the RunOnce key also runs executables after a user has logged into Windows.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceBut the key differentiator is that (surprise!) entries under this key will only run once since the registry value will be deleted prior to the command line being run. If you read that sentence again, you’ll see that there is a risk that your command line might fail to run properly, and never run again! To circumvent this and ensure our command line runs successfully, we can prefix the registry
Name
with an exclamation (!) like so:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"!alkane"="cmd.exe /c echo %USERNAME%>>c:\\alkane\\machine.txt"You should also be mindful that if you add a RunOnce entry in the HKLM registry, it will only run once for the first user that logs in. Not for subsequent logins.
The Windows Active Setup Registry Key
- We know if we want an executable to run every time any user logs in we can use the HKLM Run key.
- We know if we want an executable to run every time a specific user logs in we can use the HKCU Run key.
- We know if we want an executable to run once for the first (any) user that logs in we can use the HKLM RunOnce key.
- We know if we want an executable to run once if a specific user logs in we can use the HKCU RunOnce key.
But what if we want an executable to run once for any and every subsequent user that logs in? We can use Active Setup.
Active Setup is configured in the HKLM registry hive, and requires a StubPath and Version as a minimum:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\UNIQUEID]
"StubPath"="cmd.exe /c echo %USERNAME%>>c:\\alkane\\machine.txt"
"Version"="1,0,0"UNIQUEID can be any unique identifier – usually you will see a globally unique identifier which represents the Product Code of a Windows Installer and looks similar to this:
{052860C8-3E53-3D0B-9332-48A8B4971352}
.
The
StubPath
represents the command you want to run for each user, and the
Version
represents the version of the command.
Each time a user logs in, the operating system will check if
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\UNIQUEID
exists in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\
. If it doesn’t exist whatsoever, or it does exist and the version value is lower, it will run the command line in the
StubPath
and then write the entry in the HKCU hive (with the Version) to indicate that it has run for that particular logged in user. Similar to
Run
and
RunOnce
, the executable will also run in the logged in user context.
The ordering of processing is typically in alphabetical order of the UNIQUEID value. As such, the
StubPath
in this Active Setup:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\aaaaaaa
will run before this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\bbbbbb
There is also a seemingly undocumented approach to order of execution whereby prefixing the UNIQUEID with < will run at the very start, and prefixing the UNIQUEID with > will run at the very end.
