Ok, then. I’m back on a PC now and can check it.
First, the key name is “Microsoft\Windows NT”, not “Microsoft\Windows”.
We can get the value of Userinit via
Q: values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: C:\Windows\system32\userinit.exe,
Mine ends with a comma. It looks to me like it could have multiple values, separated by commas. So I’ll try to split them on commas, but you may need to validate whether my assumption here is correct (do you have any with multiple files in the value?)
Q: substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: C:\Windows\system32\userinit.exe
A:
T: 1573
Now I can do a couple of checks. Do any of these values end with .lnk ?
Q: exists it whose (it as lowercase ends with ".lnk") of substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: False
T: 4026
If I want to find the file(s) associated with those values, I can retrieve them as well.
Q: (files (it) ) of substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: "userinit.exe" "10.0.18362.1" "Userinit Logon Application" "10.0.18362.1 (WinBuild.160101.0800)" "Microsoft Corporation"
T: 10155
Now that I’ve found the file(s), I can pull any other file properties…
Q: (pathname of it, modification time of it) of (files (it) ) of substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: C:\Windows\system32\userinit.exe, ( Mon, 18 Mar 2019 22:45:22 -0600 )
T: 10468