Persistence mechanisms ensure malware survives system reboots — registry run keys, scheduled tasks, Windows services, DLL hijacking, WMI subscriptions, startup folders.
After initial compromise, attackers establish persistence before moving. Detection: monitor registry run keys, scheduled tasks, new services, startup folders for unauthorized changes. Autoruns (Sysinternals) shows all persistence points.