`sessionmanager`#

$ target-query <path/to/target> -f sessionmanager

Details#
Module	`os.windows.generic.GenericPlugin`
Output	`records`

Module documentation

Generic Windows plugin.

Provides some plugins that don’t fit in a separate plugin.

Function documentation

Return interesting Session Manager (Smss.exe) registry key entries.

Session Manager (Smss.exe) is the first user-mode process started by the kernel and performs several tasks, such as creating environment variables, starts the Windows Logon Manager (winlogon.exe), etc. The BootExecute registry key holds the Windows tasks that cannot be performed when Windows is running, the Execute registry key should never be populated when Windows is installed. Can be leveraged as persistence mechanisms.

References:

https://en.wikipedia.org/wiki/Session_Manager_Subsystem
https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2

sessionmanager#

`sessionmanager`#