Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

DontWatchSysProcs

If set, wininit.exe won't check if one of the processes it created crashed.

Enable automatic logon

Automatic logon for a user is enabled by setting the value of AutoAdminLogon to 1, the value of DefaultUserName to the name of an existing user and DefaultPassword to his/her password.

When in a domain, DefaultDomain is additionally needed.

@set /p password="Enter password for %USERNAME%: " 
@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d %USERNAME% /f
@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d %password% /f
@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon  /t REG_SZ /d         1  /f

Github repository about-Windows-Registry, path: /HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/automatic-logon.bat

Note: the password is now stored in clear form in the registry.

In order to bypass this mechanism, the shift key must be pressed after/while starting Windows.

mpnotify

Grzegorz Tworek has this interesting tweet:

How exactly winload.exe leaks user password? Thinking face It checks mpnotify value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, and then launches exe specified there or mpnotify.exe if empty. Exe registers RPC endpoint and winlogon binds to it and passes the password.

NoDebugThread

If set, wininit.exe won't create the «periodic timer queue».

SFCDisable

Specifies disabledness of Windows File Protection

The value can be one of

0x00: enabled
0x01: disabled with prompt at next boot.
0x02: disabled at next boot
0x04: enabled, no pop ups
0xffffff9d: completely disabled

SFCDllCacheDir

SFCDllCacheDir specifies the Dll Cache directory.

SfcScan

The value of SfcScan specifies the behavior of the System File Checker tool and can be set with sfc.exe.

Possible values for sfcScan are

0: Do not scan files when booting (default)
1: Scan all protected files in every restart (set with sfc.exe /scanboot)
2: Scan all protected files once in the next restart (set with sfc.exe /scanonce)

Shell

The default value of Shell is explorer.exe.

UserenvDebugLevel

Enable/disable logging of Windows: Group Policy Engine processing to %SystemRoot%\debug\UserMode\Userenv.log

Possible values are:

NONE	`0x00000000`
NORMAL	`0x00000001`
VERBOSE	`0x00000002`
LOGFILE	`0x00010000`
DEBUGGER	`0x00020000`

Userinit

Userinit specifies the executabe that Winlogon runs when a user logs into Windows.

The (default) value of Userinit is C:\Windows\system32\userinit.exe.

The value of Userinit is queried by winlogon.exe.