The Registry is a hierarchical database in Windows critical for the operating system. It stores low-level settings for the Windows operating system and applications that choose to use it. It is divided into computer-specific and user-specific data. We can open the Registry Editor by typing regedit from the command line or Windows search bar.
What are Keys
Keys, in essence, are containers that represent a specific component of the PC. Keys can contain other keys and values as data. These entries can take many forms, and naming contexts only require that a Key be named using alphanumeric (printable) characters and is not case-sensitive. As a visual example of Keys, if we look at the image below, each folder within the Green rectangle is a Key and contains sub-keys (HKEY_LOCAL_MACHINE).
Each folder under Computer is a key. The root keys all start with HKEY. A key such as HKEY-LOCAL-MACHINE is abbreviated to HKLM. HKLM contains all settings that are relevant to the local system. This root key contains six subkeys like SAM, SECURITY, SYSTEM, SOFTWARE, HARDWARE, and BCD, loaded into memory at boot time (except HARDWARE which is dynamically loaded).
Registry Key Files
- The entire system registry is stored in several files on the operating system. You can find these under
C:\Windows\System32\Config\. - The user-specific registry hive (HKCU) is stored in the user folder (i.e.,
C:\Users\<USERNAME>\Ntuser.dat).
A host systems Registry root keys are stored in several different files and can be accessed from C:\Windows\System32\Config\. Along with these Key files, registry hives are held throughout the host in various other places.
For a detailed list of all Registry Hives and their supporting files within the OS, we can look HERE. Now let’s discuss Values within the Registry.
What Are Values
Values represent data in the form of objects that pertain to that specific Key. These values consist of a name, a type specification, and the required data to identify what it’s for. The image below visually represents Values as the data between the Orange lines. Those values are nested within the Installer key, which is, in turn, inside another key. We can reference the complete list of Registry Key Values HERE. In all, there are 11 different value types that can be configured.
Registry Hives
Each Windows host has a set of predefined Registry keys that maintain the host and settings required for use. Below is a breakdown of each hive and what can be found referenced within.
Hive Breakdown
| Name | Abbreviation | Description |
|---|---|---|
| HKEY_LOCAL_MACHINE | HKLM | This subtree contains information about the computer’s physical state, such as hardware and operating system data, bus types, memory, device drivers, and more. |
| HKEY_CURRENT_CONFIG | HKCC | This section contains records for the host’s current hardware profile. (shows the variance between current and default setups) Think of this as a redirection of the HKLM CurrentControlSet profile key. |
| HKEY_CLASSES_ROOT | HKCR | Filetype information, UI extensions, and backward compatibility settings are defined here. |
| HKEY_CURRENT_USER | HKCU | Value entries here define the specific OS and software settings for each specific user. Roaming profile settings, including user preferences, are stored under HKCU. |
| HKEY_USERS | HKU | The default User profile and current user configuration settings for the local computer are defined under HKU. |
There are other predefined keys for the Registry, but they are specific to certain versions and regional settings in Windows. For more information on those entries and Registry keys in general, check out the documentation provided by Microsoft
Why information in registry so important?
As a pentester, the Registry can be a treasure trove of information that can help us further our engagements. Everything from what software is installed, current OS revision, pertinent security settings, control of Defender, and more can be found in the Registry. Can we find all of this information in other places? Yes. But there is no better single point to find all of it and have the ability to make widespread changes to the host simultaneously. From an offensive perspective, the Registry is hard for Defenders to protect. The hives are enormous and filled with hundreds of entries. Finding a singular change or addition among the hives is like hunting for a needle in a haystack (unless they keep solid backups of their configurations and host states). Having a general understanding of the Registry and where key values are within can help us take action quicker and for defenders spot any issues sooner.
## Run and RunOnce Registry Keys
There are also so-called registry hives, which contain a logical group of keys, subkeys, and values to support software and files loaded into memory when the operating system is started or a user logs in. These hives are useful for maintaining access to the system. These are called [Run and RunOnce registry keys](https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys).
The Windows registry includes the following four keys:
```powershell-session
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Here is an example of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key while logged in to a system.
PS C:\htb> reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SecurityHealth REG_EXPAND_SZ %windir%\system32\SecurityHealthSystray.exe
RTHDVCPL REG_SZ "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
Greenshot REG_SZ C:\Program Files\Greenshot\Greenshot.exeHere is an example of the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run showing applications running under the current user while logged in to a system.
PS C:\htb> reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
OneDrive REG_SZ "C:\Users\bob\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
OPENVPN-GUI REG_SZ C:\Program Files\OpenVPN\bin\openvpn-gui.exe
Docker Desktop REG_SZ C:\Program Files\Docker\Docker\Docker Desktop.exe