An attacker can achieve persistence by modifying the registry entries used by the Winlogon process. The Winlogon process is responsible for handling interactive user logons and logoffs. Once the user is authenticated, the winlogon.exe process launches userinit.exe, which runs logon scripts and re-establishes network connections. userinit.exe then starts explorer.exe, which is the default User's shell.

The winlogon.exe process launches userinit.exe due to the following registry value. This entry specifies which programs need to be executed by Winlogon when a user logs on. By default, this value is set to the path of userinit.exe (C:\Windows\system32\userinit.exe). An attacker can change or add another value containing ...