The payload works (except i had to change the powershell execution to use Process not the Powershell - because win7 threw a exception right there). I also modified the PSExec a little bit. payload.txt does contain the part after -EncodedCommand so you can swap the payload easily without needing to recompile the PSExec everytime which may not be possible everytime.
Thanks nice idea :) It works a exspected you will get Sys Privs easily (except for Win10 which may be a MSF Problem) and the payload stays persistent with SysPrivs after reboot.
Nice work ;)