diff --git a/Windows/Payloads/Discovery.bat b/Windows/Payloads/Discovery.bat
index b7743df..f11940f 100644
--- a/Windows/Payloads/Discovery.bat
+++ b/Windows/Payloads/Discovery.bat
@@ -8,6 +8,23 @@ net config workstation
 net accounts
 net accounts /domain
 net view
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 wmic useraccount list
 wmic useraccount get /ALL
 wmic startup list brief