akde/infosec

Information security is ultimately about managing risk

Windows Registry

,

The Win­dows reg­istry is a cen­tral data stor­age for the oper­a­tion sys­tem as well as for appli­ca­tions. It’s a key-val­ue stor­age in a tree structure.

A hive is a set of keys and their val­ues. The root hives are:

ShortLongCon­tentSource file
HKCRHKEY_CLASSES_ROOTInfor­ma­tion about file types and properties
HKCCHKEY_CURRRENT_CONFIGInfor­ma­tion about the hard­ware configuration
HKCUHKEY_CURRENT_USERSet­tings from the cur­rent user. This key changes depend­ing the cur­rent user.$userprofile\Ntuser.dat
HKLMHKEY_LOCAL_MACHINEHard­ware infor­ma­tion about devices, mem­o­ry and drivers.HKLM\SAM: \system32\config\sam
HKLM\Security: \system32\config\security
HKLM\Software: \system32\config\software
HKLM\System: \system32\config\system
HKUHKEY_USERSDefault set­tings for new users.
Reg­istry hives

There are also a few volatile keys like HKLM\Hardware which are delet­ed with sys­tem shutdown.

Enumeration

Get infor­ma­tion about a key:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Search in the reg­istry for passwords:

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername
reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\
reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys

Usage

See the per­mis­sions for reg­istry keys like follows:

subinacl /keyreg HKEY_LOCAL_MACHINE\software\microsoft

Write a null-ter­mi­nat­ed string in the new key NewKeyName:

reg add hklm\Software\Bla /v NewKeyName /t REG_SZ /d "This is new string content."

Export a (sub-) tree:

reg export HKLM\Software\Suppensoftware exp.reg

Various

To detect autostart programs:

reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Regrip

Github

Use Regrip­per to export parts of a reg­istry hive file (e.g. NTUSER.DAT) into a clear text file.

Use registry-read.py (from Impack­et) to parse offline a reg­istry hive file (NTUSER.DAT).

Reglookup is also available.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';