During a post-exploitation phase on a Windows Server 2019 host you have obtained NT AUTHORITY\SYSTEM privileges through a vulnerable service. To ensure your custom reverse-shell executable (rev.exe) is started automatically at every boot with SYSTEM rights, even if all local account passwords are later reset, which of the following is the most reliable persistence technique to use?
Create a new Windows service with sc.exe pointing to rev.exe, set the start type to Auto, and run it under the LocalSystem account.
Enable Remote Desktop and add an inbound rule for TCP 3389 to reconnect later using stolen credentials.
Append rev.exe to the AppInit_DLLs value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows and set LoadAppInit_DLLs to 1.
Add a rev.exe entry to HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it launches at the next interactive logon.
Registering a new service with sc.exe and setting its start type to Auto causes Windows to launch the specified binary during the service-control manager's initialization phase of every boot. Services that run under the LocalSystem account inherit SYSTEM privileges independently of any interactive user credentials, so password changes on local accounts do not affect the attacker's foothold.
Creating an autostart entry under HKCU…\Run depends on a specific user logging on and only grants that user's privileges. Enabling RDP and adding a firewall rule merely exposes the host for remote logon and still requires valid credentials. Using AppInit_DLLs can provide persistence, but it works only when LoadAppInit_DLLs is enabled and loads the DLL in user processes, not as SYSTEM, making it less reliable on modern Windows versions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Service Control Manager (SCM) in Windows?
Open an interactive chat with Bash
How does the LocalSystem account differ from other Windows accounts?
Open an interactive chat with Bash
Why is AppInit_DLLs no longer a reliable persistence method on modern Windows versions?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
System Hacking Phases and Attack Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .