{
	"id": "9678e923-61c0-49ec-b29b-0ce74a66419a",
	"created_at": "2026-04-06T02:12:34.346426Z",
	"updated_at": "2026-04-10T13:12:06.2602Z",
	"deleted_at": null,
	"sha1_hash": "35e45ce7b7699f8647f715be98ea81b78b636248",
	"title": "Beyond good ol’ Run key, Part 18",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42957,
	"plain_text": "Beyond good ol’ Run key, Part 18\r\nPublished: 2014-11-14 · Archived: 2026-04-06 02:01:57 UTC\r\nIf you hear legitimate \u0026 legacy in the same sentence then it is – most likely – not a good news.\r\nThe not-so-known persistence mechanisms that have a reason to be there are quite interesting, because they are\r\noften obscure and long forgotten. And while left unknown to a general public they may be still heavily utilized for\r\nlegitimate purposes even if just by a niche group of people.\r\nMaybe that’s why the mechanism I am going to describe survived such a long journey from Windows NT to\r\nWindows 10 Preview…\r\nI am talking about Logon Scripts.\r\nThere is not much online about their internals. The best I could find was this post:\r\nLogon scripts (both GPO and user) are actually handled by USERINIT.EXE.  If I recall correctly, the user logon\r\nscript is handled by the same instance of USERINIT.EXE that starts the desktop instance of EXPLORER.EXE\r\n(i.e. the one that would be spawned from gina!WlxActivateUserShell), whereas the domain GPO scripts are\r\nexecuted by separate instances of USERINIT.EXE which are requested to be spawned by WINLOGON.EXE via\r\ngina!WlxStartApplication.\r\nThe easy way to screw up the execution of these login scripts (i.e. works fine with MSGINA so I know the\r\nconfiguration is right, but with my replacement GINA installed they no longer run) would be to miss including the\r\nexpected environment variables that WINLOGON was trying to impart to the spawned instances of\r\nUSERINIT.EXE, since its via environment variables that the intention for USERINIT.EXE to run a particular\r\nscript is commuicated.\r\nBe sure you’re building an environment block that includes all the environment specified in the pEnvironment\r\nparameter to the Wlx functions cited.  In the case of GPO scripts you’re looking for an envrionment variable such\r\nas “UserInitGPOScriptType”, and “UserInitMprLogonScript” is the environment varibale WlxActivateUserShell\r\nis expected to create with the pszMprLogonScript parameter string’s contents.\r\nThe funny fact is that userinit.exe is relying on environment variables and these can be always abused – this\r\nmakes it easy to quickly set up a simple persistence mechanism by using the Registry Environment keys.\r\nThere are 3 environment variables the mechanism relies on:\r\nA pair of UserInitLogonServer \u0026 UserInitLogonScript identifying where to run script from; first one\r\nidentifies the server, the second location\r\nUserInitMprLogonScript – this one is a simple path to a script; there may be more than one; MPR stands\r\nfor Multiple Provider Router\r\nThat’s it.\r\nhttp://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/\r\nPage 1 of 2\n\nSetting up the HKEY_CURRENT_USER\\Environment variables and dropping scripts in an appropriate location\r\nis enough to pull this off.\r\nTo test the UserInitMprLogonScript setting:\r\nSave the following file as c:\\test\\UserInitMprLogonScriptlog.bat\r\n@echo off \r\n@echo # 'UserInitMprLogonScript'\r\n@if exist c:\\test\\UserInitMprLogonScript.log @del c:\\test\\UserInitMprLogonScript.log\r\n@echo UserInitMprLogonScript executed !\u003e c:\\test\\UserInitMprLogonScript.log\r\n@pause\r\nAdd the following Registry Entry\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CURRENT_USER\\Environment]\r\n\"UserInitMprLogonScript\"=\"c:\\\\test\\\\UserInitMprLogonScript.bat\"\r\nOnce you log off and log on again you should see the script running, and if it is not shown in a dedicated terminal\r\nwindow (e.g. in case of Windows 10 Preview) you can confirm it did execute by checking if the file\r\nc:\\test\\UserInitMprLogonScript.log exists.\r\nSource: http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/\r\nhttp://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/"
	],
	"report_names": [
		"beyond-good-ol-run-key-part-18"
	],
	"threat_actors": [],
	"ts_created_at": 1775441554,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/35e45ce7b7699f8647f715be98ea81b78b636248.pdf",
		"text": "https://archive.orkl.eu/35e45ce7b7699f8647f715be98ea81b78b636248.txt",
		"img": "https://archive.orkl.eu/35e45ce7b7699f8647f715be98ea81b78b636248.jpg"
	}
}