Registry

General

The Registry is a hierchical tree-like structure that contains key and value pairs. It stores all the required information for the OS and the software installed to run under subtrees.

Keys are containers that represent a specific component of the computer. The host system's Registry root keys can be accessed from c:\windows\system32\config\. 

PS C:\WINDOWS\system32> gci c:\windows\system32\config\


    Directory: C:\windows\system32\config


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        28/09/2022     09:00                bbimigrate
d-----        28/09/2022     09:00                BFS
d-----        07/05/2022     06:24                Journal
d-----        07/05/2022     06:24                RegBack
d-----        28/09/2022     19:52                systemprofile
d-----        13/03/2024     20:13                TxR
-a----        17/04/2024     21:41        1048576 BBI
-a----        28/09/2022     09:00          28672 BCD-Template
-a----        23/04/2024     10:09       46661632 COMPONENTS
-a----        17/04/2024     21:41        1572864 DEFAULT
-a----        22/04/2024     09:43        6356992 DRIVERS
-a----        15/02/2024     07:33          32768 ELAM
-a----        17/04/2024     21:41         131072 SAM
-a----        17/04/2024     21:41          32768 SECURITY
-a----        18/04/2024     06:05      142082048 SOFTWARE
-a----        17/04/2024     21:41       31195136 SYSTEM
-a----        28/09/2022     08:14           8192 userdiff
-a----        11/04/2024     06:33           1623 VSMIDK

Values represent data in the form of objects that pertain to the specific Key. These consist of a name, a type specification, and the required data to identify what it's for.

Registry Hives

These are important because they act as a single point of information and give us the ability to make widespread changes to the host.

Name
Abbreviation
Description

HKEY_LOCAL_MACHINE

HKLM

This subtree contains information about the computer's physical state, such as hardware and operating system data, bus types, memory, device drivers, and more.

HKEY_CURRENT_CONFIG

HKCC

This section contains records for the host's current hardware profile. (shows the variance between current and default setups) Think of this as a redirection of the HKLM CurrentControlSet profile key.

HKEY_CLASSES_ROOT

HKCR

Filetype information, UI extensions, and backward compatibility settings are defined here.

HKEY_CURRENT_USER

HKCU

Value entries here define the specific OS and software settings for each specific user. Roaming profile settings, including user preferences, are stored under HKCU.

HKEY_USERS

HKU

The default User profile and current user configuration settings for the local computer are defined under HKU.

We can use reg.exe or the Get-Item and Get-ItemProperty cmdlets to interact with the hives.

# Querying running services
Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Select-Object -ExpandProperty Property
SecurityHealth
RtkAudUService
RZTHXHelper
AvastUI.exe
# Querying each key and value within the hive
Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion -Recurse
# Querying running services, friendlier output
Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SecurityHealth : C:\WINDOWS\system32\SecurityHealthSystray.exe
RtkAudUService : "C:\WINDOWS\System32\DriverStore\FileRepository\realtekservice.inf_amd64_af528bf4464e0980\RtkAudUService64.exe" -background
RZTHXHelper    : C:\WINDOWS\system32\RZTHXHelper.exe
AvastUI.exe    : "C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui
PSPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PSParentPath   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
PSChildName    : Run
PSProvider     : Microsoft.PowerShell.Core\Registry
# Querying key information with reg.exe
reg query HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip

HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
    Path64    REG_SZ    C:\Program Files\7-Zip\
    Path    REG_SZ    C:\Program Files\7-Zip\
    
# Searching specific information within registry
REG QUERY HKCU /F "Password" /t REG_SZ /S /K

HKEY_CURRENT_USER\Software\Microsoft\Windows\Winlogon\PasswordExpiryNotification
    NotShownTime    REG_SZ    06::53::50, 2024/04/23
    NotShownReason    REG_SZ    PasswordNeverExpires

  • /F <pattern>

  • /S -> recursive

  • /K -> Key names only

# Creating a new key under the RunOnce hive
New-Item -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ -Name TestKey

    Hive: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Name                           Property
----                           --------
TestKey   
# Setting a new property
New-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\TestKey -Name  "access" -PropertyType String -Value "C:\Users\htb-student\Downloads\payload.exe"

access       : C:\Users\htb-student\Downloads\payload.exe
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
               TestKey
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
PSChildName  : TestKey
PSDrive      : HKCU
PSProvider   : Microsoft.PowerShell.Core\Registry

# Same as above with reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\TestKey" /v access /t REG_SZ /d "C:\Users\htb-student\Downloads\payload.exe" 

# Deleting reg properties
Remove-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\TestKey -Name  "access"
# Confirming that properties were deleted
Get-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\TestKey
PreviousServicesNextWindows Event Log

Last updated