persistence-info.github.io

View on GitHub

Winlogon Notification Package

Location:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Classification:

Criteria Value
Permissions Admin
Security context System; User
Persistence type Registry
Code type DLL
Launch type Automatic
Impact Non-destructive
OS Version All OS versions
Dependencies OS only
Toolset Scriptable

Description:

Well documented. May be used to launch arbitrary code on different events, and in both - System, and user context.

Winlogon notification packages are DLLs that receive and handle events generated by Winlogon. You can implement such a notification package to monitor and respond to Winlogon events.

References:

https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-notification-packages

Credits:

See also:

Remarks: