The Windows Registry
Day 7
What it is: Hierarchical database of critical system configurations Registry is the configuration and control mechanism for the Windows Operating system Contains system-wide and per-user settings Useage: During initial boot process (pre-kernel). List of boot device drivers to load before kernel During kernel boot process Loads device drivers and system element configuration During logon Reads per-user preferences and settings During application startup and execution Purpose and Role of the Registry 13.1 Explain the purpose and role of Windows Registry and its major functions
HKCU - Current User HKU - Users HKCR - Classes Root HKLM - Local Machine HKCC -Current Config Additional handles to predefined keys exist as per Predefined Keys (Windows) MSDN The Registry has 5 Root Keys 13.2 Describe Registry hierarchy organization and primary components
HKCU – Current User, individual user settings HKU – All accounts on machine, the root key containing the ntuser.dat hives for ALL users. HKCR – Classes Root – file association and COM objects, backward compatibility, and file extension information HKLM – System related information, SAM, Critical boot/kernel functions, 3rd party software, hardware, BCD.dat HKCC – Current Config – Current hardware profile, informaiton that is gathered at runtime Additional handles to predefined keys exist as per Predefined Keys (Windows) MSDN
The Hivelist \REGISTRY\MACHINE\HARDWARE Recreated every time the system starts \REGISTRY\USER\ Specifies location of the files that store the current user profile \REGISTRY\MACHINE\SECURITY Specifies location of files that store the HKLM\Security key \REGISTRY\USER\.DEFAULT Specifies location of files that store the HKU\.DEFAULT key \REGISTRY\MACHINE\SYSTEM Specifies location of files that store the HKLM\SYSTEM key \REGISTRY\MACHINE\SOFTWARE Specifies location of files that store the HKLM\SOFTWARE key \REGISTRY\MACHINE\SAM Specifies location of files that store the HKLM\SAM key 13.2 Describe Registry hierarchy organization and primary components
A registry key that contains a list of mappings for the hive file mounting within the registry namespace. When SMSS loads the Windows subsystem, it calls the configuration manager to load up the core registry hives. After the registry is loaded via the configuration manager, SMSS records the location of the hives to CurrentControlSet. Table 1: From https://technet.microsoft.com/en-us/library/cc951686.aspx A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data.**Microsoft, "Windows registry information for advanced users," Microsoft, 11 Sep., 2011, Available: https://support.microsoft.com/en-us/help/256986/windows-registry-information-for-advanced-users HIVE 13.2 Describe Registry hierarchy organization and primary components
Registry contains keys, and values. Keys Keys are a container object, much like a folder. Keys contain other keys (AKA Sub-keys) and/or a collection of property/value pairs. Values Values store data. Values are non-container objects, much like a file. Data 12 data types available Components of the Registry 13.2
GUI Regedit.exe Command Line: REG.exe WMIC CLASS StdRegProv CALL https://goo.gl/fcmtgZ Powershell Get-item Get-itemproperty Get-childitem Set-itemproperty New-item New-itemproperty Registry Tools 14.1 Identify parts of the Registry using GUI-based tools 14.2 Use command line syntax to query, view, analyze, modify, and create Registry values https://msdn.microsoft.com/en-us/library/aa393664(v=vs.85).aspx
Query reg query [\\Machine\] HKLM\SOFTWARE\TEST (PS) get-item -path "HKLM:\Software\Test" wmic class StdRegProv call EnumValues sSubKeyName=”Software\Test” Create reg add HKLM\software\test /v data /d “This is the data” (PS) new-itemproperty -path "HKLM:\Software\test" -name “data” -value “This is the data” wmic class StdRegProv call SetStringValue sSubKeyName=”software\test” sValueName=”data” sValue=”This is the data” Modify reg add HKLM\SOFTWARE\TEST /v data /d “This is modified” /f (PS) set-itemproperty -path "HKLM:\Software\test" -name “data” -value “This is modified” wmic class StdRegProv call SetStringValue sSubKeyName=”software\test” sValueName=”data” sValue=”This is modified” Delete reg delete [\\Machine\]HKLM\SOFTWARE\TEST (PS) remove-item -path "HKLM:\Software\Test" wmic class StdRegProv call DeleteKey sSubKeyName=”software\test” Query, Create, Modify, Delete 14.2 Use command line syntax to query, view, analyze, modify, and create Registry values
Changes to the registry often require a restart, as many programs read the registry values upon load. Whether the entire system needs to be restarted, or just a program, depends on the program that is reading the changes. As a general rule: Changes to Windows System Settings require a reboot Changes to Windows User Settings require a login Changes to Windows Policy Settings usually don’t require a reboot Changes to an Application require a restart Milage may very It is also important to note that some parts of the registry are always loaded into memory. Registry Changes 14.3 – Explain when and how changes to the Registry are expected to take effect
HKLM\\Software\Microsoft\Windows\Current Version\Run HKLM\\Software\Microsoft\Windows\Current Version\RunOnce HKU\\Software\Microsoft\Windows\Current Version\Run HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks HKLM\SYSTEM\CurrentControlSet\SERVICES\ HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR HKU\\Software\Microsoft\Internet Explorer\TypedUrls HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ Useful Registry Locations 15.1 – Identify Registry locations that contain forensically relevant information 15.2 – Identify Registry locations that can be utilized for persistence
HKLM\\Software\Microsoft\Windows\Current Version\Run HKLM\\Software\Microsoft\Windows\Current Version\RunOnce HKU\\Software\Microsoft\Windows\Current Version\Run HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks HKLM\SYSTEM\CurrentControlSet\SERVICES\ HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR HKU\\Software\Microsoft\Internet Explorer\TypedUrls HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ Useful Registry Locations 15.1 – Identify Registry locations that contain forensically relevant information 15.2 – Identify Registry locations that can be utilized for persistence