General Info

http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html
https://community.rapid7.com/community/metasploit/blog2010/12/capturing-windows-logons-with.html
$data += [PSObject] @{Path='HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\'; Entries='System','Userinit','VMApplet','AppSetup'}
$data += [PSObject] @{Path='HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\'; Entries='System','Userinit','VMApplet','AppSetup'}
https://www.f-secure.com/v-descs/trojan_w32_qhost_je.shtml