userinit.exe

  • File Path: C:\Windows\SysWOW64\userinit.exe
  • Description: Userinit Logon Application

Hashes

Type Hash
MD5 05D02F412A916B7322AB94E5D8EA9767
SHA1 2A4291B224A998CFAAF81906529629C32ADCDB8E
SHA256 28C7D92EA3F248D2B13165E934E25C64F9D61CD2E5D293457EE62B345556A411
SHA384 A0B5FCF320B27D2F47F0412AEDCF7E03DE080EA35DB795BDC638AC6F16B5EDCD8770BCAF207CC83954664F4961310C38
SHA512 07470C315F26FD66DA8ABAC89CEBF172C3C5BC93DE4FDCD3935CFA8CD3EDC0669979CB3176755A248F43735E925B403F74906DFFABE0659EBC1BF9DFDE01D7C4
SSDEEP 384:KJR4M0xmpuIUzYzKplbKRtkkzkwm5qJeojInSDPQnMZWuymWXC/:KJR4z5bzy+14kkYwm5qcHnEonHPC/
IMP 113287C325C3EE58A84B18E1A4323892
PESHA1 81CBE1140662E00294E0E2991AFB04F87B391253
PE256 ACBEE4886C16B07949F76FEACFC6DCAB10BDA87D547EA90A6ED8D5F569C90CC1

Runtime Data

Child Processes:

explorer.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\userinit.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\userinit.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: USERINIT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/28c7d92ea3f248d2b13165e934e25c64f9d61cd2e5d293457ee62b345556a411/detection

Possible Misuse

The following table contains possible examples of userinit.exe being misused. While userinit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\userinit.exe' DRL 1.0
sigma proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml ParentImage\|endswith: '\userinit.exe' DRL 1.0
sigma proc_creation_win_susp_direct_asep_reg_keys_modification.yml - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' DRL 1.0
sigma proc_creation_win_susp_userinit_child.yml title: Suspicious Userinit Child Process DRL 1.0
sigma proc_creation_win_susp_userinit_child.yml description: Detects a suspicious child process of userinit DRL 1.0
sigma proc_creation_win_susp_userinit_child.yml ParentImage\|endswith: '\userinit.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\Winlogon\Userinit' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion_nt.yml - '\Winlogon\Userinit' DRL 1.0
malware-ioc misp_invisimole.json "description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nThe <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit</code> and <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", © ESET 2014-2018
malware-ioc part3.adoc userinit.exe © ESET 2014-2018
atomic-red-team index.md - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team T1012.md reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md - Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md ## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Set-ItemProperty “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" “Userinit” “Userinit.exe, #{binary_to_execute}” -Force MIT License. © 2018 Red Canary
atomic-red-team T1547.004.md Remove-ItemProperty -Path “HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name “Userinit” -Force -ErrorAction Ignore MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.