Skip to content

Windows Userinit persistence#20844

Merged
dledda-r7 merged 13 commits intorapid7:masterfrom
6a6f656c:userinit
Feb 18, 2026
Merged

Windows Userinit persistence#20844
dledda-r7 merged 13 commits intorapid7:masterfrom
6a6f656c:userinit

Conversation

@6a6f656c
Copy link
Copy Markdown
Contributor

@6a6f656c 6a6f656c commented Jan 3, 2026

fixes #20820

Introduces a new persistence module that abuses the Windows UserInit registry mechanism, ensuring a shell is executed each time a user logs in.

Verification

List the steps needed to make sure this thing works

  1. get an admin session on windows
  2. use exploit/windows/persistence/registry_userinit
  3. set session #
  4. exploit
  5. logoff and log back in, you should get a shell

@h00die h00die changed the title Userinit Windows Userinit persistence Jan 3, 2026
@h00die
Copy link
Copy Markdown
Contributor

h00die commented Jan 3, 2026

I had a few minutes, so did the docs for you: 6a6f656c#1

6a6f656c
6a6f656c commented Jan 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@6a6f656c 6a6f656c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed

@6a6f656c
Merge pull request #1 from h00die/upstream/pr/20844
acc035c 
Add docs and tidy to userinit persistence
@h00die h00die added docs and removed needs-docs labels Jan 10, 2026
adfoster-r7
adfoster-r7 reviewed Jan 15, 2026
View reviewed changes
Comment thread modules/exploits/windows/persistence/registry_userinit.rb

def writable_dir
d = super
return session.sys.config.getenv(d) if d.start_with?('%')
Copy link
Copy Markdown
Contributor

@adfoster-r7 adfoster-r7 Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe some of the comments from $x are relevant here? 🤔

#20843 (comment)

cc @h00die

Copy link
Copy Markdown
Contributor

@dledda-r7 dledda-r7 Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@h00die was this addressed?

@rapid7 rapid7 deleted a comment from github-actions Bot Jan 25, 2026
@bwatters-r7 bwatters-r7 mentioned this pull request Feb 9, 2026
Merged
@dledda-r7 dledda-r7 self-assigned this Feb 17, 2026
dledda-r7
dledda-r7 reviewed Feb 17, 2026
View reviewed changes
Comment thread modules/exploits/windows/persistence/registry_userinit.rb
Comment thread documentation/modules/exploit/windows/persistence/registry_userinit.md Outdated
Comment thread modules/exploits/windows/persistence/registry_userinit.rb
Comment thread modules/exploits/windows/persistence/registry_userinit.rb

def writable_dir
d = super
return session.sys.config.getenv(d) if d.start_with?('%')
Copy link
Copy Markdown
Contributor

@dledda-r7 dledda-r7 Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@h00die was this addressed?

@dledda-r7
Copy link
Copy Markdown
Contributor

dledda-r7 commented Feb 17, 2026
edited
Loading

Managed to have the connection back, @6a6f656c or @h00die, does this module require Administrator privilage to install the persistence?

6a6f656c and others added 3 commits February 17, 2026 07:17
@6a6f656c @dledda-r7
Apply suggestion from @dledda-r7
7e50106 
Co-authored-by: Diego Ledda <diego_ledda@rapid7.com>
@6a6f656c @dledda-r7
Apply suggestion from @dledda-r7
ab30bd1 
Co-authored-by: Diego Ledda <diego_ledda@rapid7.com>
@6a6f656c @dledda-r7
Apply suggestion from @dledda-r7
236fb33 
Co-authored-by: Diego Ledda <diego_ledda@rapid7.com>
dledda-r7
dledda-r7 reviewed Feb 17, 2026
View reviewed changes
Comment thread modules/exploits/windows/persistence/registry_userinit.rb Outdated
h00die
h00die previously requested changes Feb 17, 2026
View reviewed changes
Comment thread documentation/modules/exploit/windows/persistence/registry_userinit.md Outdated
@h00die
Copy link
Copy Markdown
Contributor

h00die commented Feb 17, 2026

@dledda-r7 The return session.sys.config.getenv(d) if d.start_with?('%') stuff hasn't been addressed yet. Because its in a bunch of modules I'm hoping to address it once across all the landed modules instead of doing the modules and then 4 or 5 PRs separately.

@h00die
Copy link
Copy Markdown
Contributor

h00die commented Feb 17, 2026

Managed to have the connection back, @6a6f656c or @h00die, does this module require Administrator privilage to install the persistence?

I thought writing to the registry did require admin privileges, but I can't remember at this point.

@dledda-r7 @h00die
Update documentation/modules/exploit/windows/persistence/registry_use…
9f30154 
…rinit.md

Co-authored-by: h00die <h00die@users.noreply.github.com>
@dledda-r7 dledda-r7 dismissed h00die’s stale review February 18, 2026 10:49

Suggestion committed

@dledda-r7 dledda-r7 merged commit 8af82dc into rapid7:master Feb 18, 2026
18 checks passed
@dledda-r7
Copy link
Copy Markdown
Contributor

dledda-r7 commented Feb 20, 2026

Release Notes

This add a persistence module for Windows. Using the UserInit registry key the target machine will create a session with Admin privileges every time any user logs in.

@dledda-r7 dledda-r7 added the rn-modules release notes for new or majorly enhanced modules label Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@dledda-r7 dledda-r7 dledda-r7 approved these changes

+1 more reviewer

@h00die h00die h00die left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@dledda-r7 dledda-r7

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

New Persistence Technique: Windows Registry Logon Script (userinit)

4 participants

@6a6f656c @h00die @dledda-r7 @adfoster-r7