..
    generated, remove this comment to keep this file

``appinit``
===========

.. code-block:: console

    $ target-query <path/to/target> -f appinit


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``os.windows.generic.GenericPlugin``
    * - Output
      - ``records``

**Module documentation**

Generic Windows plugin.

Provides some plugins that don't fit in a separate plugin.

**Function documentation**

Return all available Application Initial (AppInit) DLLs registry key values.

AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on
the system. It can be used as a persistence mechanism and/or elevate privileges by executing malicious content
triggered by AppInit DLLs loaded into processes. DLLs that are specified in the AppInit_DLLs value in the
Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by
user32.dll into every process that loads user32.dll.

References:
    - https://attack.mitre.org/techniques/T1546/010/
    - https://docs.microsoft.com/en-us/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2?redirectedfrom=MSDN
    - https://docs.microsoft.com/en-US/windows/win32/dlls/secure-boot-and-appinit-dlls