By suktech24, Sun 3 Nov 2024, Estimated reading time : 12-14 mins
The Windows Registry is one of the most powerful Windows operating system features that can tweak or manipulate Windows policies and low-level configuration settings. When I first came across with Registry, I found that its structure and even abbreviations confusing. After learning and finding out more about it, it made me realised that it is critical for system security hardening, threat detection and mitigation. In this blog post, the followings will be explored:
- What is Windows Registry
- Registry Structure
- Registry Hives, Keys and Values
- Detection Rules
- MITRE ATT&CK Tactics and Techniques
- Summary
1. What is Windows Registry?
The Windows Registry is a central hierarchical database files located in the windows installation directory that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.
In other words, the registry or Windows Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. For example, when a new program is installed, a new set of instructions and file references may be added to the registry in a specific location for the program, and others that may interact with it, to refer to for more information like where the files are located, which options to use in the program, etc.
The Windows Registry is accessed and configured using the Registry Editor program. It can be accessed by executing regedit from the Command Prompt or by typing Registry editor in the Search bar.
2.Registry Structure
The screenshot below shows the structural part of the registry.
- A hive in the Windows Registry is the name given to a major section of the registry that contains registry keys, registry subkeys, and registry values.
- All keys that are considered hives begin with “HKEY” and are at the root, or the top of the hierarchy in the registry, which is why they’re also sometimes called root keys or core system hives. To use a more common term, a hive is like a starting folder in the registry. Everything in the registry is ultimately contained in various hives.
- Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user’s hive contains specific registry information pertaining to the user’s application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERS key.
- Why is a registry file called a “hive”?
- This is an interesting point about how hives name came about. I have attached the link in the heading😊
- One of the original developers of Windows NT hated bees. So the developer who was responsible for the registry snuck in as many bee references as he could. A registry file is called a “hive”, and registry data are stored in “cells”, which is what honeycombs are made of.
Keys and Subkeys
- The registry contains two basic elements:
- Keys
- Values.
- At the top level of the registry are Windows registry keys, which function similarly to folders in a file system. Registry values are non-container objects similar to files. Keys may contain values and subkeys. Keys are referenced with a syntax similar to Windows’ path names, using backslashes to indicate levels of hierarchy. Keys must have a case insensitive name without backslashes.
- These keys organize the registry into logical groupings:
- HKEY_CURRENT_USER
- AppEvents
- Console
- Control Panel
- Environment
- Keyboard Layout, etc.
- HKEY_LOCAL_MACHINE
- HARDWARE
- SAM
- SECURITY
- SOFTWARE
- SYSTEM
- HKEY_CURRENT_USER
- Within each key, subkeys further categorize and organize settings into logical groupings. They provide a structured hierarchy for storing configuration data related to specific components or applications. For example, under HKEY_LOCAL_MACHINESOFTWARE, you’ll find subkeys corresponding to installed applications and system configurations.
Values
- Values are data entries stored within keys and subkeys. They contain the actual configuration information, such as numerical settings, strings of text, binary data, and so on.
- HKEY” stands for “Handle to Registry Key and is a typedef supplied in the Windows headers files. This naming convention reflects the standard practice in operating systems of using opaque “handles” scheme for system resources. When requesting resources from the operating system, a “handle” or cookie (or token) is given that represents an actual object or resource, such as a registry key, without directly exposing the internal data structures. This approach helps maintain data encapsulation, shielding the system’s internal workings from potential changes or security vulnerabilities.
- The Windows registry uses handles specifically for referencing registry keys. These registry handles, like HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER, provide access points to different registry subtrees. Differentiating registry handles (HKEY) from other types of handles, such as file handles (from functions like
CreateFile), helps in avoiding conflicts and makes the registry system easier to navigate. - In below functions , RegCreateKeyA and CreateFile2, they both create handles to different types of system resources, i.e., register keys and files, respectively, but they operate on different parts of the Windows system.
| HKEY | CreateFile2 example |
| – RegCreateKeyA is used to open or create a registry key and returns an HKEY handle – It deals with register keys (system settings) | – CreateFile2 is used to open or create a file and return a HANDLE for file manipulation – It deals with files/devices (e.g. files on the file system) |
| LSTATUS RegCreateKeyA( [in] HKEY hKey, [in, optional] LPCSTR lpSubKey, [out] PHKEY phkResult ); | HANDLE CreateFile2( [in] LPCWSTR lpFileName, [in] DWORD dwDesiredAccess, [in] DWORD dwShareMode, [in] DWORD dwCreationDisposition, [in, optional] LPCREATEFILE2_EXTENDED_PARAMETERS pCreateExParams ); |
3. Registry Hives, Keys and Values
TABLE 1 : Registry Hives
The following table lists the standard hives, their supporting files and description.
| Registry Hive | Abbreviations | Supporting Files | Description |
| HKEY_CURRENT_CONFIG | HKCC | System, System.alt, System.log, System.sav .alt – a backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file. | Contains information about the hardware profile that is used by the local computer at system startup. |
| HKEY_CURRENT_USER | HKCU | Ntuser.dat, Ntuser.dat.log | Contains the root of the configuration information for the user who is currently logged on. The user’s folders, screen colors, and Control Panel settings are stored here. This information is associated with the user’s profile. |
| HKEY_LOCAL_MACHINE\SAM Security Account Manager (SAM) | HKLM | Sam, Sam.log, Sam.sav – Sam (active hive) – Sam.log (transaction log) – Sam.sav (backup copy) | Contains configuration information particular to the computer (for any user). |
| HKEY_LOCAL_MACHINE\Security | HKLM | Security, Security.log, Security.sav | |
| HKEY_LOCAL_MACHINE\Software | HKLM | Software, Software.log, Software.sav | |
| HKEY_LOCAL_MACHINE\System | HKLM | System, System.log, System.sav | |
| HKEY_USERS\.DEFAULT | HKU | Default, Default.log, Default.sav | Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. |
TABLE 2 : Registry Key
The table below highlights example Registry Keys, paths and their significance in cybersecurity, as these paths could be targeted by attackers to establish persistence, manipulate system behaviour, or conceal malicious activity.
| Registry Key | Path | Description | Attack Significance |
| Run | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Specifies programs to be run at user login. | Attackers can add malicious entries here for persistence, ensuring their payload runs every time the user logs in. |
| RunOnce | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce | Programs listed here run once at startup, then are deleted. | Used for temporary execution of malware, allowing attackers to execute code without creating permanent entries. |
| Policies | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies | Contains security settings and policies for the system. | Modifying policies can help attackers disable security features or alter system behavior for exploitation. |
| Uninstall | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | Stores information about installed applications. | Attackers may use this key to hide their presence by masquerading as legitimate applications or by modifying entries. |
| Services | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services | Contains information about services installed on the system. | Attackers often create new services or modify existing ones to maintain persistence or execute code at startup. |
| Explorer | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer | Contains settings related to Windows Explorer and the user interface. | Attackers might modify this key to change shell behavior or redirect system functionality to malicious executables. |
TABLE 3 : Registry Values
This table focuses on registry value types most relevant for detecting malicious activity, with details on encoding, and their importance attack scenarios. https://en.wikipedia.org/wiki/Windows_Registry
| Type ID | Symbolic Type Name REG – registry | Description | Example | Importance in cyber attacks |
| 1 | REG_SZ | A string value, fixed length text string. – For storing file paths, names, config strings – It is static, it does not support environment variables or any dynamic content | C:\Program Files\MySQL\MySQL Workbench 8.0\mysql.exe | It is often used in attacks for persistence. Attackers might alter or create REG_SZ entries to specify startup programs, modify user settings, or set registry keys that control system behavior. |
| 2 | REG_EXPAND_SZ | An “expandable” string value that can contain environment variables, normally stored and exposed in UTF-16LE, usually terminated by a NUL character | It can include environment variables, such as %SystemRoot% or %USERPROFILE%, which are dynamically expanded by the system when accessed. | Attackers leverage REG_EXPAND_SZ values to insert environment-dependent paths in autostart locations, making it flexible for various users or systems. This is commonly seen in persistence mechanisms and privilege escalation techniques. |
| 3 | REG_BINARY | Binary data (any arbitrary data) | Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DispBrokerDesktopSvc\FailureActions | By altering REG_BINARY values related to security software or system settings, attackers can disable protections (e.g., antivirus or firewall settings), allowing them to operate undetected. |
| 4 | REG_DWORD/ REG_DWORD_LITTLE_ENDIAN | A DWORD value, a 32-bit unsigned integer (numbers between 0 and 4,294,967,295) – 4 bytes | Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DispBrokerDesktopSvc\ErrorControl | Many security, logging, and Windows feature settings are controlled by REG_DWORD values, so attackers may alter these entries to disable defenses or change system behavior for persistence. |
| 6 | REG_LINK | A symbolic link (UNICODE) to another registry key, specifying a root key and the path to the target key | Attackers may abuse REG_LINK to redirect the system to malicious or unintended registry paths, facilitating persistence, redirection of system or application settings, and bypassing security controls by linking to alternate configurations. | |
| 7 | REG_MULTI_SZ | A multi-string value, which is an ordered list of non-empty strings, normally stored and exposed in Unicode, each one terminated by a null character, the list being normally terminated by a second null character. | Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DispBrokerDesktopSvc\DependOnService | Attackers might use REG_MULTI_SZ for modifying lists of allowed or blocked applications, modifying trusted zones, or setting multiple startup commands, making it useful in persistence and evasion techniques. |
4. Detection Rules
Sigma HQ offers a comprehensive set of detection rules specifically for Windows Registry activities. These rules can identify suspicious behaviors and help create alerts for potential attacks. There are four main categories and under each category, relevant rules are listed:
| registry_add | registry_delete | registry_event | registry_set |
| Detect the addition of registry keys or values. | Detect deletion of registry keys or values | Detect/track specific events that are related to changes in the state or config of keys. | Detect changes to existing registry keys. |
| They could be indicative of potentially malicious activities, such as unauthorized software installations or modifications. | They could be indicative of attempts to cover tracks by malware or unauthorized/malicious users trying to remove tracks of their activities. | Suspicious activity that may involve multiple types of changes or operations. | Changes to registry keys can have significant implications of system behaviour. They could be indicative of attackers trying to gain persistence. |
| https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add | https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete | https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event | https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set |
5. MITRE ATT&CK Tactics and Techniques
- Execution, TA0002
- Command and Scripting Interpreter, T1059
- Persistence, TA0003
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001, https://attack.mitre.org/techniques/T1547/001/
- Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[1] These programs will be executed under the context of the user and will have the account’s associated permissions level.
- The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- Boot or Logon Autostart Execution: Authentication Package, T1547.002
- Create or Modify System Process, T1543
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001, https://attack.mitre.org/techniques/T1547/001/
- Privilege Escalation, TA0004
- Access Token Manipulation, T1134
- Abuse Elevation Control Mechanism: Bypass User Account Control, T1548.002
- Defense Evasion, TA0005
- Modify Registry, T1112
- Indicator Removal, T1070
- File and Directory Permissions Modification, T1222
- Credential Access, TA0006
- Credentials from Password Stores, T1555
- e.g. Accessing the SAM (Security Account Manager) registry hive to retrieve stored user credentials., HKEY_LOCAL_MACHINE\SECURITY\SAM
- Credentials from Password Stores, T1555
- Discovery, TA0007
- System Information Discovery, T1082
- e.g. Reading registry values to gain information about system configuration and installed software.
Summary
The Windows Registry is a crucial component of the Windows operating system, serving as a centralized database for configuration settings and options. Understanding the structure and function of the Windows Registry is essential for system security, threat detection, and mitigation. Below is the summary of this blog post:
🍃 1. What is Windows Registry?
- A hierarchical database storing low-level settings for the Windows OS and applications. It contains configuration information for hardware, software, user profiles, and system performance. It can be accessed through the Registry Editor, using the command
regedit.
🍃 2. Registry Structure
- Registry Hives: They are major sections of the registry that contain keys and values, each beginning with “HKEY.” Each user has a separate profile hive that stores user-specific settings. The term “hive” comes from early Windows developers, referencing bees and honeycombs.
🍃 3. Registry Hives, Keys, and Values
- Registry Hives: They are major categories like HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE that organize registry data.
- Keys and Subkeys: They function like folders and may contain values and further subkeys to categorize settings.
- Values: They are data entries within keys that store actual configuration details such as numerical settings and strings of text.
🍃 4. Detection Rules
- Sigma HQ offers a comprehensive set of detection rules specifically for Windows Registry activities. These rules can identify suspicious behaviors and help create alerts for potential attacks. There are four main categories : registry_add, registry_delete, registry_event and registry_set. Go to SigmaHQ repo for more details of each rule, https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry.
🍃 5. MITRE ATT&CK Tactics and Techniques
- Malicious actors can achieve persistence (TA0003) by adding programs to startup folders or referencing them in registry run keys, ensuring these programs execute at user login under the account’s permissions. Techniques such as Registry Run Keys / Startup Folder (T1547.001) and Authentication Package (T1547.002) demonstrate how attackers leverage registry modifications for persistence, while others like Access Token Manipulation (T1134) and Credential Access (T1555) enable privilege escalation and retrieval of sensitive information from the Windows Registry.
References
- What Is Windows Registry? Your Complete Guide, Lauren Ballejos, IT Editorial Expert, Oct 16 2024, https://www.ninjaone.com/blog/what-is-windows-registry/
- What Is the Windows Registry? , Tim Fisher , June 13 2023, https://www.lifewire.com/windows-registry-2625992
- System configuration tools in Windows, https://support.microsoft.com/en-au/windows/system-configuration-tools-in-windows-f8a49657-b038-43b8-82d3-28bea0c5666b
- Windows Registry, https://en.wikipedia.org/wiki/Windows_Registry
- Windows registry information for advanced users, 26 Dec 2023, https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users
- What Is a Registry Hive?, Tim Fisher, 7 Aug 2023, https://www.lifewire.com/what-is-a-registry-hive-2625986
- The Windows Registry Adventure #3: Learning resources, https://googleprojectzero.blogspot.com/2024/06/the-windows-registry-adventure-3.html
- From Registry With Love: Malware Registry Abuses, 19 Jan 2023, https://www.splunk.com/en_us/blog/security/from-registry-with-love-malware-registry-abuses.html
- https://www.linkedin.com/pulse/windows-persistence-registry-run-keysstartup-folder-mangipudi/
- https://redcanary.com/blog/threat-detection/windows-registry-attacks-threat-detection/
- https://redcanary.com/threat-detection-report/techniques/windows-service/
suKTech24 
Leave a comment