This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated with ‘viewing source of web pages’, and using Microsoft Office for editing HTML documents:

• HKCU\Software\Microsoft\Shared\HTML\Default Editor
• HKCU\SOFTWARE\Microsoft\Shared\HTML\Old Default Editor
• HKLM\SOFTWARE\Microsoft\Shared\HTML\Old Default Editor
• HKCU\Software\Microsoft\Internet Explorer\Default HTML Editor
• HKCU\Software\Microsoft\Internet Explorer\Default MHTML Editor
• HKLM\Software\Microsoft\Internet Explorer\Default HTML Editor
• HKLM\Software\Microsoft\Internet Explorer\Default MHTML Editor
• HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor
• HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor

All the entries use the very same shell entries as shown on the below example:

Yet another short one, courtesy of @tiraniddo who pointed me to this Microsoft article describing SERVICE_FAILURE_ACTIONSW structure. In essence, you use it to tell service controller what to do when your service breaks. I have seen this technique abused by malware over 10 years ago, but completely forgot about it.

James not only provided the link, but also suggested that you could register a service which you’ll know crashes if you get it bad input on command line but what you really want is it to fail so that it runs the backup command. And you can delay the command for a long time to disconnect between the failure and the command execution.

Thanks James!