An attacker can achieve persistence by modifying the registry entries used by the Winlogon process. The Winlogon process is responsible for handling interactive user logons and logoffs. Once the user is authenticated, the winlogon.exe process launches userinit.exe, which runs logon scripts and re-establishes network connections. userinit.exe then starts explorer.exe, which is the default User's shell.

The winlogon.exe process launches userinit.exe due to the following registry value. This entry specifies which programs need to be executed by Winlogon when a user logs on. By default, this value is set to the path of userinit.exe (C:Windowssystem32userinit.exe). An attacker can change or add another value containing the path to the malicious executable, which will then be launched by the winlogon.exe process (when the user logs on):

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit

In the same manner, userinit.exe consults the following registry value to start the default User's shell. By default, this value is set to explorer.exe. An attacker can change or add another entry containing the name of the malicious executable, which will then be started by userinit.exe:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell

In the following example, the Brontok worm achieves persistence by modifying the following Winlogon registry values with its malicious executables:

To detect this type of persistence mechanism, the Sysinternals Autoruns utility may be used. You can monitor for suspicious entries (not related to legitimate programs) in the registry, as mentioned earlier.