Logon Triggered Persistence

We can put executable in each user's folder:

• C:\Users\<your_username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

If we want to force all users to run a payload while logging in, we can use the folder under:

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

One of the things userinit.exe does while loading your user profile is to check for an environment variable called UserInitMprLogonScript. We can use this environment variable to assign a logon script to a user that will get run when logging into the machine.

reg add "HKCU\Environment" /v UserInitMprLogonScript /d "C:\Windows\shell.exe" /f

You can also force a user to execute a program on logon via the registry. Check this page for more details

Winlogon, the Windows component that loads your user profile right after authentication can be abuse for persistence. Check this page for more details.