While conducting an internal penetration test you gain SYSTEM access to a Windows 10 endpoint. Blue team procedures include resetting all Run/RunOnce registry entries, purging user Startup folders, and comparing service and scheduled-task configurations to a gold image every night. They do not audit WMI. Which approach offers a durable, stealthy persistence channel after reboot?
Register a permanent WMI event consumer that launches your payload when the system boots.
Drop a hidden shortcut to your payload in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder.
Modify the ImagePath of the Print Spooler service to execute your backdoor on startup.
Add a malicious value under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce that points to your payload.
Creating a permanent WMI event subscription registers a filter, consumer, and binding inside the WMI repository. The subscription is executed by the WMI service at system start or when the defined trigger fires, giving code execution even if Run keys, Startup folders, services, and scheduled tasks are reverted or deleted. Because the defender does not monitor WMI, the technique will likely remain unnoticed.
The RunOnce registry value and the Startup folder are explicitly wiped by the blue team, so payloads placed there will not persist. Modifying an existing service's ImagePath would be detected by their nightly service-configuration comparison. Therefore, using a permanent WMI event consumer is the most reliable and covert choice in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are WMI event consumers in Windows?
Open an interactive chat with Bash
Why is modifying the Run/RunOnce registry subkeys less stealthy for persistence?
Open an interactive chat with Bash
How does comparing services or scheduled tasks to a gold image improve security?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
System Hacking Phases and Attack Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .