Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keysHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WindowsorHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windowsare loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Endgame Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)
AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| registry_file | Windows Registry File | Path | T1103.reg |
reg.exe import #{registry_file}