What it is:
Hierarchical database of critical system configurations
Registry is the configuration and control mechanism for the Windows Operating system
Contains system-wide and per-user settings
Useage:
During initial boot process (pre-kernel).
List of boot device drivers to load before kernel
During kernel boot process
Loads device drivers and system element configuration
During logon
Reads per-user preferences and settings
During application startup and execution
Purpose and Role of the Registry
13.1 Explain the purpose and role of Windows Registry and its major functions
HKCU - Current User
HKU - Users
HKCR - Classes Root
HKLM - Local Machine
HKCC -Current Config
Additional handles to predefined keys exist as per Predefined Keys (Windows) MSDN
The Registry has 5 Root Keys
13.2 Describe Registry hierarchy organization and primary components
HKCU – Current User, individual user settings
HKU – All accounts on machine, the root key containing the ntuser.dat hives for ALL users.
HKCR – Classes Root – file association and COM objects, backward compatibility, and file extension information
HKLM – System related information, SAM, Critical boot/kernel functions, 3rd party software, hardware, BCD.dat
HKCC – Current Config – Current hardware profile, informaiton that is gathered at runtime
Additional handles to predefined keys exist as per Predefined Keys (Windows) MSDN
The Hivelist
\REGISTRY\MACHINE\HARDWARE
Recreated every time the system starts
\REGISTRY\USER\
Specifies location of the files that store the current user profile
\REGISTRY\MACHINE\SECURITY
Specifies location of files that store the HKLM\Security key
\REGISTRY\USER\.DEFAULT
Specifies location of files that store the HKU\.DEFAULT key
\REGISTRY\MACHINE\SYSTEM
Specifies location of files that store the HKLM\SYSTEM key
\REGISTRY\MACHINE\SOFTWARE
Specifies location of files that store the HKLM\SOFTWARE key
\REGISTRY\MACHINE\SAM
Specifies location of files that store the HKLM\SAM key
13.2 Describe Registry hierarchy organization and primary components
A registry key that contains a list of mappings for the hive file mounting within the registry namespace.
When SMSS loads the Windows subsystem, it calls the configuration manager to load up the core registry hives.
After the registry is loaded via the configuration manager, SMSS records the location of the hives to CurrentControlSet. Table 1: From https://technet.microsoft.com/en-us/library/cc951686.aspx
A registry hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data.**Microsoft, "Windows registry information for advanced users," Microsoft, 11 Sep., 2011, Available: https://support.microsoft.com/en-us/help/256986/windows-registry-information-for-advanced-users
HIVE
13.2 Describe Registry hierarchy organization and primary components
Registry contains keys, and values.
Keys
Keys are a container object, much like a folder.
Keys contain other keys (AKA Sub-keys) and/or a collection of property/value pairs.
Values
Values store data.
Values are non-container objects, much like a file.
Data
12 data types available
Components of the Registry
13.2
GUI
Regedit.exe
Command Line:
REG.exe
WMIC CLASS StdRegProv CALL
https://goo.gl/fcmtgZ
Powershell
Get-item
Get-itemproperty
Get-childitem
Set-itemproperty
New-item
New-itemproperty
Registry Tools
14.1 Identify parts of the Registry using GUI-based tools
14.2 Use command line syntax to query, view, analyze, modify, and create Registry values
https://msdn.microsoft.com/en-us/library/aa393664(v=vs.85).aspx
Query
reg query [\\Machine\] HKLM\SOFTWARE\TEST
(PS) get-item -path "HKLM:\Software\Test"
wmic class StdRegProv call EnumValues sSubKeyName=”Software\Test”
Create
reg add HKLM\software\test /v data /d “This is the data”
(PS) new-itemproperty -path "HKLM:\Software\test" -name “data” -value “This is the data”
wmic class StdRegProv call SetStringValue sSubKeyName=”software\test” sValueName=”data” sValue=”This is the data”
Modify
reg add HKLM\SOFTWARE\TEST /v data /d “This is modified” /f
(PS) set-itemproperty -path "HKLM:\Software\test" -name “data” -value “This is modified”
wmic class StdRegProv call SetStringValue sSubKeyName=”software\test” sValueName=”data” sValue=”This is modified”
Delete
reg delete [\\Machine\]HKLM\SOFTWARE\TEST
(PS) remove-item -path "HKLM:\Software\Test"
wmic class StdRegProv call DeleteKey sSubKeyName=”software\test”
Query, Create, Modify, Delete
14.2 Use command line syntax to query, view, analyze, modify, and create Registry values
Changes to the registry often require a restart, as many programs read the registry values upon load.
Whether the entire system needs to be restarted, or just a program, depends on the program that is reading the changes.
As a general rule:
Changes to Windows System Settings require a reboot
Changes to Windows User Settings require a login
Changes to Windows Policy Settings usually don’t require a reboot
Changes to an Application require a restart
Milage may very
It is also important to note that some parts of the registry are always loaded into memory.
Registry Changes
14.3 – Explain when and how changes to the Registry are expected to take effect
HKLM\\Software\Microsoft\Windows\Current Version\Run
HKLM\\Software\Microsoft\Windows\Current Version\RunOnce
HKU\\Software\Microsoft\Windows\Current Version\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
HKLM\SYSTEM\CurrentControlSet\SERVICES\
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKU\\Software\Microsoft\Internet Explorer\TypedUrls
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\
Useful Registry Locations
15.1 – Identify Registry locations that contain forensically relevant information
15.2 – Identify Registry locations that can be utilized for persistence
HKLM\\Software\Microsoft\Windows\Current Version\Run
HKLM\\Software\Microsoft\Windows\Current Version\RunOnce
HKU\\Software\Microsoft\Windows\Current Version\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
HKLM\SYSTEM\CurrentControlSet\SERVICES\
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKU\\Software\Microsoft\Internet Explorer\TypedUrls
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\
Useful Registry Locations
15.1 – Identify Registry locations that contain forensically relevant information
15.2 – Identify Registry locations that can be utilized for persistence