> For the complete documentation index, see [llms.txt](https://muhammed-hatem.gitbook.io/muhammed-hatem/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/winlogon.exe/userinit.exe.md).

# userinit.exe

### What is userinit.exe?

`userinit.exe` is a crucial Windows system process known as the **User Initialization Program**. It runs immediately after successful user login and is responsible for setting up the user's environment.

**Key Functions:**

* **Loading User Profile:** Continues the profile loading process initiated by `winlogon.exe`.
* **Executing Logon Scripts:** Runs any assigned logon scripts for the user or computer.
* **Starting User Shell:** **Launches `explorer.exe`**, which provides the desktop and user interface. Once launched, `explorer.exe` takes over.
* **Setting Environment Variables:** Configures user-specific environment variables.
* **Processing Group Policy (CSEs):** In domain environments, it helps apply Group Policy settings for the user.

**In essence, `userinit.exe` bridges the login process and the user's interactive session by preparing the environment and starting the shell.**

### Behaviour

| Feature                 | Normal Behavior                                                                                                           | Abnormal Behavior                                                                                                      |
| ----------------------- | ------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| **Image Path**          | `%SystemRoot%\System32\userinit.exe` (typically `C:\Windows\System32\userinit.exe`)                                       | Image file path other than `C:\Windows\System32`                                                                       |
| **Parent Process**      | `winlogon.exe`                                                                                                            | An unexpected parent process                                                                                           |
| **Number of Instances** | Typically one instance per logged-in user session. It usually terminates shortly after launching the shell.               | Multiple persistent instances for a single user session, or instances that don't terminate.                            |
| **User Account**        | Runs under the user's account.                                                                                            | Running under a different or unexpected user account.                                                                  |
| **Resource Usage**      | Low CPU and memory usage, terminates shortly after `explorer.exe` starts.                                                 | Persistent high CPU or memory consumption long after login.                                                            |
| **Registry Keys**       | Properly references `explorer.exe` as the shell in `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`. | Modifying or pointing to unusual executables in `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`. |
| **Functionality**       | Successfully loads user profile, executes logon scripts, and starts `explorer.exe`.                                       | Failure to load the user profile, execute scripts, or start the shell correctly.                                       |

### userinit.exe and MITRE ATT\&CK

<mark style="color:red;">Attackers</mark> use `userinit.exe` for **persistence** (T1547 Boot or Logon Autostart Execution, specifically T1547.004 Winlogon Helper DLL). They modify the **`Userinit` Registry value** (under `Winlogon` keys) to run malicious executables **alongside** the legitimate `userinit.exe` during user logon. This ensures their code runs automatically after login. Detecting changes to the `Userinit` value for unexpected executables is key to identifying this tactic.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://muhammed-hatem.gitbook.io/muhammed-hatem/summaries/core-windows-processes/system/smss.exe/winlogon.exe/userinit.exe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.