date: “2016-12-01” draft: false title: “Windows Registry”
Registry Root Keys [3]
| Root Key | Abbrv. | Description | Link (Alias) |
|---|---|---|---|
| HKEY_CURRENT_USER | HKCU | Points to the user profile of the currently logged on user | Subkey under HKEY_USERS corresponding to currently logged on user |
| HKEY_USERS | HKU | Contains subkeys for all loaded user profiles | Not a link |
| HKEY_CLASSES_ROOT | HKCR | Contains file association and COM registration information | Not a direct link; rather, a merged view of HKLM\SOFTWARE\Classes and HKEY_USERS\\SOFTWARE\Classes |
| HKEY_LOCAL_MACHINE | HKLM | Global settings for the machine. | Not a link |
| HKEY_CURRENT_CONFIG | HKCC | Current hardware profile | HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current |
| HKEY_PERFORMANCE_DATA | HKPD | Performance counters | Not a link |
Data Types 1
| Name | Data type | Purpose |
|---|---|---|
| REG_BINARY | Binary | Binary data |
| REG_DWORD | Numeric | Numeral |
| REG_QWORD | Numeric | 64-bit numeric value |
| REG_EXPAND_SZ | String | Text and variables |
| REG_FULL_RESOURCE_DESCRIPTOR | String | Device resource ID |
| REG_LINK | String | Path to file |
| REG_MULTI_SZ | Multi-string | Array of strings |
| REG_NONE | Unknown | Encoded data |
| REG_RESOURCE_LIST | String | List of device resources |
| REG_RESOURCE_REQUIREMENTS_LIST | String | Device resource ID |
| REG_SZ | String | Text |
Size Limits [4],[5]
| Architecture | OS Version | Maximum size of the system hive |
|---|---|---|
| x86 | Vista+ | 50 percent of physical memory, up to 400 MB |
| x86 | 2003,XP | 25 percent of physical memory, up to 200 MB |
| x64 | Vista+ | 50 percent of physical memory, up to 1.5 GB |
| x64 | 2003 SP2 | 25 percent of system memory, up to 200 MB |
| x64 | 2003 SP1, XP | 32 MB |
| Intel Itanium | 8+ | 50 percent of physical memory, up to 1 GB |
| Intel Itanium | Vista, 2008, 2003, XP | 32 MB |
Registry usage
Registry data is read [2]
- During the initial boot process
- During the kernel boot process
- During logon
- During application startup
Common tasks
FIND A SERIVCE PACK DATE
# results show entry is in CSDVersion Hex value show SP 9x0300 SP3, 0x0100 SP1
regfind "Service Pack 3"
reg query HKLM\System\CurrentControlSet\Control\Windows
FIND USERS BY SID
reg query "hklm\software\microsoft\windows nt\currentversion\profilelist"
wmic useraccount list brief
FIND USERS CURRENTLY LOGGED ON SYSTEM
# look for name pairs SID and classes - convert SID to name
reg query HKLM\System\CurrentControlSet\Control\Hivelist
psgetsid <SID>
wmic useraccount list brief - gives all user inlcuding not logged in
wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
FIND ALL USERS ON A HOST
reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users\names
# show RID of users (note this is not the next available RID)
reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users -
FIND THE LAST PERSON TO LOGIN (UNDER THE DEFAULTUSERNAME)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
FIND STARTUP PROGRAMS IN REGISTRY
- RunServiceOnce subkey: designed to start service programs before user logs on and before other registry subkeys start.
# keys may not exist
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- RunServices subkey: loads immediately after RunServicesOnce and before user logon.
Reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
- Run subkey: The Run subkey in HKLM runs immediately before the Run subkey in HKCU.
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- RunOnce subkey: primarily used by Setup programs. The HKLM subkey version of RunOnce runs programs immediately after logon and before other registry Run entries. The HKCU subkey version of RunOnce runs programs after Run subkeys and after the Startup folder.
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx # XP only
- RunOnce*Setup* subkey: specifies programs to run after the user logs on Explorer\Run subkey:
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- Userinit subkey: there is an entry for userinit.exe but subkey can accept multiple comma-separated values. Can’t find where program starting? Look here.
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
- Programs that start from Appinit_DLL registry setting (Can be malicious)
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\windows" /v AppInit_DLLs
- Other locations for specific startup
reg query "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
Find the Current Control Set and Last Good Known
reg query HKLM\system\Select - Hex value shows the control set
Find the Computer name
reg query "HKLM\System\ControlSet001\Control\computername\activecomputername"
reg query "HKLM\System\CurrentControlSet\Control\Session Manager\FileRenameOperations"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows"
Find the Default User Name
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Additional Info:
- [Windows Internals Part 1](http://materias.fi.uba.ar/7508/WI6/Windows%20Internals%20Part%201%20(6th%20Edition).pdf
- Last Known Good: WIp16e: pg 329
Registry Tools:
- reg (TODO link)
- regedit (TODO link)
- regfind (TODO link)
TODO move to tools pages:
- reg - http://ss64.com/nt/reg.html
- reg - https://technet.microsoft.com/en-us/library/cc732643(v=ws.11).aspx
- regfind - http://www.mobzystems.com/Tools/RegFind.aspx
- regedit - http://ss64.com/nt/regedit.html
- Reg save https://technet.microsoft.com/en-us/library/cc742108.aspx
- Reg add https://technet.microsoft.com/en-us/library/cc742162.aspx
- Reg query https://technet.microsoft.com/en-us/library/cc742028.aspx
- Export WinNT Registry Entries https://support.microsoft.com/en-us/kb/168589/en-us
[2]: Windows Internals Part 1, 6th Edition: pg 278 [3]: Windows Internals Part 1, 6th Edition: pg 280 [4]: Windows Internals Part 1, 6th Edition: pg 295 [5]: https:/msdn.microsoft.com/en-us/library/windows/desktop/ms724881(v=vs.85).aspx