Some malware appears to create Registry keys such as:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n or variants like ...CurrentVersion\Ruin, where it places executable files in order to auto start at bootup. I'm just wondering how RD protects in these situations. Obviously the 'Run' key will be protected, but it does not seem to cover 'CurrentVersion\Ru1n'. Does the malware have to knock out the 'Run' key in order to use Ruin/Ru1n etc? How does this work in practice?