Winlogon Notification Package
Location:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System; User |
| Persistence type | Registry |
| Code type | DLL |
| Launch type | Automatic |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
Well documented. May be used to launch arbitrary code on different events, and in both - System, and user context.
Winlogon notification packages are DLLs that receive and handle events generated by Winlogon. You can implement such a notification package to monitor and respond to Winlogon events.
References:
https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-notification-packages