WinLogon (Elevated)

Winlogon uses some registry keys under that could be interesting to gain persistence:

  • Userinit points to userinit.exe, which is in charge of restoring your user profile preferences.

  • shell points to the system's shell, which is usually explorer.exe

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

We can modify the string by adding our shellcode path

After doing this, sign out of your current session and log in again, and you should receive a shell

PreviousStartup FolderNextRun / RunOnce (Elevated)

Last updated