{"id":3627,"date":"2016-05-27T22:51:57","date_gmt":"2016-05-27T22:51:57","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3627"},"modified":"2016-05-27T22:53:58","modified_gmt":"2016-05-27T22:53:58","slug":"beyond-good-ol-run-key-part-38","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/05\/27\/beyond-good-ol-run-key-part-38\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 38"},"content":{"rendered":"<p>It&#8217;s been a while since my last post <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/03\/26\/beyond-good-ol-run-key-part-37\/\">about persistence tricks<\/a>. Today I decided to fix this and write about yet another trick &#8211; kinda old, yet still cool &#8211; that works even today despite being as old as Windows NT.<\/p>\n<p>The userinit.exe process was featured in a number of persistence posts before (<a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/05\/21\/beyond-good-ol-run-key-part-12\/\">here<\/a> , <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/06\/18\/beyond-good-ol-run-key-part-13\/\">here<\/a> and <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/11\/14\/beyond-good-ol-run-key-part-18\/\">here<\/a>). Turns out, we have not given it all the attention it needs yet.<\/p>\n<p>When you add a new user to the system, you have an option to change some properties of the user account as shown on the below screenshot. One of these properties is responsible for loading the user logon script (I named it foobar123.bat on the test system).<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic0.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3628\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic0-269x300.png\" alt=\"pic0\" width=\"520\" height=\"579\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic0-269x300.png 269w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic0.png 414w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/a><\/p>\n<p>The alternative to GUI is using the following command:<\/p>\n<ul>\n<li>\n<pre>net user \/scriptpath:&lt;Relative Path&gt;<\/pre>\n<\/li>\n<\/ul>\n<p>Once added to the user properties, the script will be executed anytime user logs on:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3629\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic3-300x152.png\" alt=\"pic3\" width=\"520\" height=\"263\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic3-300x152.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic3.png 677w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/a><\/p>\n<p>You may be wondering where on the system it has to be placed to ensure it is executed.<\/p>\n<p>There are two places:<\/p>\n<ul>\n<li>You can place it on Netlogon share:\n<ul>\n<li>either the real one from the domain controller (where all user scripts reside),<br \/>\nor<\/li>\n<li>you can create a fake, local one by using the trick shown below:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3630\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic1-300x152.png\" alt=\"pic1\" width=\"520\" height=\"263\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic1-300x152.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic1.png 677w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/a><\/p>\n<p style=\"padding-left: 60px;\">In such case the script will be loaded like this:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3631\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic4.png\" alt=\"pic4\" width=\"520\" height=\"542\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic4.png 548w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic4-288x300.png 288w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/a><\/p>\n<ul>\n<li>You can place it inside the %systemroot%\\System32\\Repl\\Import\\Scripts directory<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">In such case it will be executed like this:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3632\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic2.png\" alt=\"pic2\" width=\"520\" height=\"541\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic2.png 548w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic2-288x300.png 288w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/a>If you use net user command, the relative path is relative to %systemroot%\\System32\\Repl\\Import\\Scripts.<\/p>\n<p>This trick is not my idea and is described in various places on the internet &#8211; I shamelessly &#8216;borrowed&#8217; most of the bits and ideas from <a href=\"https:\/\/superuser.com\/questions\/258641\/windows-7-home-how-to-configure-a-logon-script\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s been a while since my last post about persistence tricks. Today I decided to fix this and write about yet another trick &#8211; kinda old, yet still cool &#8211; that works even today despite being as old as Windows &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/05\/27\/beyond-good-ol-run-key-part-38\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3627"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3627"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3627\/revisions"}],"predecessor-version":[{"id":3634,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3627\/revisions\/3634"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}