Registry persistence allows malware or unauthorized changes to survive system reboots by manipulating registry settings. This article details a method that circumvents typical detection mechanisms by using a specially crafted NTUSER.MAN file. Unlike the standard NTUSER.DAT file, which Windows loads during user logon, the NTUSER.MAN file is prioritized for loading, providing a way to insert malicious keys into the HKEY_CURRENT_USER (HKCU) hive without triggering registry callbacks that endpoint detection and response (EDR) solutions monitor. The technique exploits how Windows handles mandatory profiles. By placing a crafted NTUSER.MAN in a user’s profile directory, the registry keys included within this file are loaded directly from disk during the next logon. This process bypasses the standard registry APIs, avoiding detection by EDR tools that rely on callbacks triggered by those APIs. The article outlines a specific workflow for creating this file, including exporting the target user's HKCU hive, modifying it, and converting it back to a binary format for the NTUSER.MAN file. Constraints exist, as the NTUSER.MAN file cannot be swapped while the user is logged in, requiring either a logoff or a system reboot. This means the persistence mechanism acts over time rather than instantly. The article also touches on lateral movement opportunities through Active Directory, where modifying a user's profile path can redirect to a malicious NTUSER.MAN on a controlled network share, allowing for further exploitation upon the user’s next logon. Detection strategies focus on monitoring file writes to NTUSER.MAN and changes to the profilePath attribute in Active Directory. The presence of mandatory profiles is rare in modern environments, making any instances highly suspicious. The article emphasizes the need for vigilance against these subtle, yet effective, persistence techniques in enterprise security.