Commit a7fa6a0
Changed files (10)
windows
windows/commands/questions.csv
@@ -0,0 +1,98 @@
+# ,whoami,win_cmd
+# ,hostname,win_cmd
+# ,ver,win_cmd
+# ,systeminfo,win_cmd
+# ,date /t,win_cmd
+# ,time /t,win_cmd
+# ,type,win_cmd
+# ,echo,win_cmd
+# ,more,win_cmd
+# ,start,win_cmd
+# ,sort,win_cmd
+# ,cls,win_cmd
+# ,ipconfig,win_cmd
+# ,,win_cmd
+# ,,win_cmd
+# ,,win_cmd
+# ,,win_cmd
+#
+# ,,
+# auditpol
+Displays information about and performs functions to manipulate audit policies: ?,auditpol,win_cmd
+auditpol.exe was added in which version of Windows?,vista,win_cmd
+[Flag] Display the current audit policy: auditpol /[?] /category:*,get,win_cmd
+[Flag] Save the current audit policy to a file: auditpol /[?] /file:c:\filename,backup,win_cmd
+[T/F] auditpol.exe can be run on a remote system (via /s)?,F,win_cmd
+
+# driver query
+Display a list of all installed device drivers and their properties: [?].exe,driverquery,win_cmd
+[T/F] driverquery.exe can be run on a remote system?,T,win_cmd
+[Flag] Display digital signature information: driverquery /[?],si,win_cmd
+
+# cmd
+Windows' default command shell: [?].exe,cmd,win_cmd
+
+# ds
+Active Directory Domain Services commands (add/mod/get/query) start with this prefix,ds,win_cmd
+Add active directory object: [?].exe,dsadd,win_cmd
+Modify an active directory object: [?].exe,dsmod,win_cmd
+View active directory objects: [?].exe,dsget,win_cmd
+Rename or Move an active directory object to a different OU: [?].exe,dsmove,win_cmd
+Delete active directory objects: [?].exe,dsrm,win_cmd
+
+# acl
+Display or modify Access Controle Lists (Pre-Vista): [?].exe,cacls,win_cmd
+Display or modify Access Controle Lists (Vista+): [?].exe,icacls,win_cmd
+Which version of Windows introducted the new ACL file/folder permissions tool icacls.exe?,vista,win_cmd
+
+# sc
+Create/Stop/Start/Query/Delete any windows service: [?].exe,sc,win_cmd
+
+# systeminfo
+Display detailed config info about a computer: [?].exe,systeminfo,win_cmd
+[T/F] systeminfo.exe can be run on a remote system (via /s)?,T,win_cmd
+
+# taskkill
+End one or more processes (by id or name): [?].exe,taskkill,win_cmd
+[T/F] taskkill.exe can be run on a remote system (via /s)?,T,win_cmd
+[T/F] taskkill.exe can be used to kill more than one process?,T,win_cmd
+[Flag] Specify the process to be killed by name: taskkill /[?] notepad.exe?,im,win_cmd
+[Flag] Specify the process to be killed by process id: taskkill /[?] 2341,pid,win_cmd
+
+# tasklist
+List of applications and services with their Process ID: [?].exe,tasklist,win_cmd
+[T/F] tasklist.exe can be run on a remote system (via /s)?,T,win_cmd
+[T/F] tasklist.exe can be used to kill more than one process?,T,win_cmd
+[Flag] Specify the process to be killed by name: taskkill /[?] notepad.exe,im,win_cmd
+[Flag] Specify the process to be killed by process id: taskkill /[?] notepad.exe,pid,win_cmd
+
+# task[kill|list] filters
+[T/F] /fi "PID eq 2223" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "PID gt 2233" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "USERNAME eq NT AUTHORITY\SYSTEM" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "USERNAME ne NT*" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "IMAGENAME eq Notepad.exe" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "PID == 2223" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "PID > 2233" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "USERNAME == NT AUTHORITY\SYSTEM" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "USERNAME != NT*" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "IMAGENAME == Notepad.exe" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "IMAGENAME ge Notepad.exe" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "Services eq 0" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "Session eq 0" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "Modules eq stsfp.dll" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "Modules == stsfp.dll" is a valid taskkill or tasklist filter?,T,win_cmd
+[T/F] /fi "Status eq ACTIVE" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "Status eq DISABLED" is a valid taskkill or tasklist filter?,F,win_cmd
+[T/F] /fi "Status eq RUNNING" is a valid taskkill or tasklist filter?,T,win_cmd
+
+# wevutil
+Retrieve information about event logs and publishers: [?].exe,wevtutil,win_cmd
+Display the names of all logs (short version): wevtutil [?],el,win_cmd
+Display System event logs (short version): wevtutil [?] System,qe,win_cmd
+[Flag] Return events in reverse order: wevtutil /[?]:true,rd,win_cmd
+[Flag] Limit the results to 5 logs: wevtutil /[?]:5,c,win_cmd
+
+
+# doskey
+List the history of the commands run in the current session: [?].exe /history,doskey,win_cmd
windows/meta/index.md
@@ -7,9 +7,11 @@ title: "Windows Meta"
* [survey]({{< relref "windows/meta/survey.md" >}})
* [auditing]({{< relref "windows/meta/auditing.md" >}})
-* [env]({{< relref "windows/meta/env.md" >}})
-* [kernel]({{< relref "windows/meta/kernel.md" >}})
-* [passive]({{< relref "windows/meta/passive.md" >}})
* [registry]({{< relref "windows/meta/registry.md" >}})
* [sid]({{< relref "windows/meta/sid.md" >}})
+* [ntfs]({{< relref "windows/meta/ntfs.md" >}})
+
+### Drafts
+* [env]({{< relref "windows/meta/env.md" >}})
+* [kernel]({{< relref "windows/meta/kernel.md" >}})
windows/meta/kernel.md
@@ -1,6 +1,6 @@
---
date: "2016-12-01"
-draft: false
+draft: false
title: "Windows Kernel"
---
windows/meta/ntfs.csv
@@ -0,0 +1,24 @@
+# Standard Attributes
+What MFT standard attribute has the Type ID of 128 - $[?],DATA,win_ntfs
+What MFT standard attribute has the Type ID of 48 - $[?]_NAME,FILE,win_ntfs
+What MFT standard attribute has the Type ID of 16 - $[?]_INFORMATION,STANDARD,win_ntfs
+What is the Type ID of this MFT standard attribute: $DATA,128,win_ntfs
+What is the Type ID of this MFT standard attribute: $FILE_NAME,48,win_ntfs
+What is the Type ID of this MFT standard attribute: $STANDARD_INFORMATION,16,win_ntfs
+
+# MTF Metadata
+What is the MFT Metafile Record Number for the $MFT file,0,win_ntfs
+What is the MFT Metafile Record Number for the $MFTMirr file,1,win_ntfs
+What is the MFT Metafile Record Number for the $LogFile file,2,win_ntfs
+What is the MFT Metafile Record Number for the $Volume file,3,win_ntfs
+What is the MFT Metafile Record Number for the $AttrDef file,4,win_ntfs
+What is the MFT Metafile Record Number for the Root file name index file,5,win_ntfs
+What is the MFT Metafile Record Number for the $Bitmap file,6,win_ntfs
+What is the MFT Metafile Record Number for the $Boot file,7,win_ntfs
+What is the MFT Metafile Record Number for the $BadClus file,8,win_ntfs
+What is the MFT Metafile Record Number for the $Secure file,9,win_ntfs
+What is the MFT Metafile Record Number for the $Upcase file,10,win_ntfs
+What is the MFT Metafile Record Number for the $Extend file,11,win_ntfs
+
+# MFT Metadata purpose
+# TODO
windows/meta/ntfs.txt → windows/meta/ntfs.md
@@ -1,4 +1,9 @@
-NTFS
+---
+date: "2016-12-01"
+draft: false
+title: "Windows NTFS"
+
+---
## NTFS - Advanced Features [WISEp2-426]
@@ -17,7 +22,7 @@ NTFS
* Defragmentation
* Read-only support and dynamic partitioning
-## MFT
+## MFT Metadata
All records are 1KB, one for each file on the volume
windows/meta/processes.csv
@@ -0,0 +1,30 @@
+Session Manager = [?].exe,smss,win_processes
+
+# csrss
+Client/Server Runtime Subsystem - [?].exe,csrss,win_processes
+Provides the user mode side of the win32 subsystem - [?].exe,csrss,win_processes
+Responsible for win32 console handling and GUI shutdown - [?].exe,csrss,win_processes
+
+Windows Initialization - [?].exe,wininit,win_processes
+
+# scm
+Service Control Manager - [?].exe,services,win_processes
+Windows system process which starts stops and intereacts with service processes - [?].exe,services,win_processes
+[T/F] %SystemRoot%\System32\services.exe is the correct location for this executable.,T,win_processes
+[T/F] %SystemRoot%\services.exe is the correct location for this executable.,F,win_processes
+
+# lsass
+Local Security Authentication Server - [?].exe,lsass,win_processes
+Windows system process which enforces the security policy on the system - [?].exe,lsass,win_processes
+Windows system process which verifies users - [?].exe,lsass,win_processes
+Windows system process which handles password changes - [?].exe,lsass,win_processes
+Windows system process which creates access tokens - [?].exe,lsass,win_processes
+[T/F] %SystemRoot%\System32\lsass.exe is the correct location for this executable.,T,win_processes
+[T/F] %SystemRoot%\lsass.exe is the correct location for this executable.,F,win_processes
+
+# explorer
+[T/F] %SystemRoot%\System32\explorer.exe is the correct location for this executable.,F,win_processes
+[T/F] %SystemRoot%\explorer.exe is the correct location for this executable.,T,win_processes
+
+Local Session Manager - [?].exe,lsm,win_processes
+Login Process - [?].exe,winlogon,win_processes
windows/meta/randy-reg.txt
@@ -1,179 +0,0 @@
-FIND A SERIVCE Pack DATE
-
- regfind "Service Pack 3" - results show entry is in CSDVersion Hex value show SP 9x0300 SP3, 0x0100 SP!
- reg query HKLM\System\CurrentControlSet\Control\Windows
- PS [timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($(get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion').InstallDate))
-
-FIND USERS BY SID
- Reg query "hklm\software\microsoft\windows nt\currentversion\profilelist"
- wmic useraccount list brief
-
-FIND USERS CURRENTLY LOGGED ON SYSTEM
- reg query HKLM\System\CurrentControlSet\Control\Hivelist
- look for name pairs SID and classes - convert SID to name
- psgetsid <SID>
- wmic useraccount list brief - gives all user inlcuding not logged in
- wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
-
-FIND ALL USERS ON A HOST
- reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users\names
- reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users - shows that RID of users (note this is not the next available RID)
-
-FIND THE LAST PERSON TO LOGIN (UNDER THE DEFAULTUSERNAME)
- reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
-
-FIND STARTUP PROGRAMS IN REGISTRY
-
-RunServiceOnce subkey: designed to start service programs before user logs on and before other registry subkeys start.
-
- reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (key may not exist)
- reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (key may not exist)
-
-RunServices subkey: loads immediately after RunServicesOnce and before user logon.
-
- Reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
- reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
-
-Run subkey: The Run subkey in HKLM runs immediately before the Run subkey in HKCU.
- reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-
-RunOnce subkey: primarily used by Setup programs. The HKLM subkey version of RunOnce runs programs immediately after logon and before other registry Run entries. The HKCU subkey version of RunOnce runs programs after Run subkeys and after the Startup folder.
-
- reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (XP only)
-reg
-RunOnce\Setup subkey: specifies programs to run after the user logs on Explorer\Run subkey:
-
- reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
-
-Userinit subkey: there is an entry for userinit.exe but subkey can accept multiple comma-separated values. Can't find where program starting? Look here.
-
- reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
-
-Programs that start from Appinit_DLL registry setting (Can indicate Virus)
-
- reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\windows" /v AppInit_DLLs
-
-Other locations for specific startup
-
- reg query "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms
- reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
- reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
- reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
- This only provides GUIDs
-
-Find the Current Control Set and Last Good Known
- reg query HKLM\system\Select - Hex value shows the control set
-
-Find the Computer name
- reg query "HKLM\System\ControlSet001\Control\computername\activecomputername"
-
-
-reg query "HKLM\System\CurrentControlSet\Control\Session Manager\FileRenameOperations"
-
-reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows"
-
-Find the Default User Name
- reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
-
-
-
-
-
-___________________________________________________________
-FROM EXERCISE
-Manually search the registry for the Wireshark subkey
-HKU\S-1-5-21-1891946569-2026382101-2396600481-500\Software\Wireshark
-or
-regfind -n UpdateInterval.
-
-What are some of the registry values stored within the Drive subkey under HKEY_CLASSES_ROOT? (Select all that apply.)
-To answer this question, in the Windows command shell, you will need to perform a reg query on the Drive subkey under the HKCR root key. The correct syntax for this query is reg query HKCR\Drive.
-
-Question 3
-Examine the registry key: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account. What value is stored in the last 12 bytes of the V value?
-
-local computer's SID as it is stored in the registry.
-HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account
-
-reg query HKU
-
-Question 5
-Examine the registry key: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System. What is the data value for the SystemBiosDate?
-
-reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
-reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership
--1305.
-
-This question is directing you to identify the data stored in the value Group6 under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership on the local computer.
-reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership within the registry. Locate the Group6 value and read the data it stores.
-
-What is the string value stored within the Run subkey under the HKLM hive?
-\Software.
--p RegistryPathKey, where RegistryPathKey is the point in the registry where your search will start.
-
-Examine the WinStations subkey within the HKLM hive. What port is RDP configured to use?
-regfind -n WinStation.
-You will notice under the System hive, it provides the paths through ControlSet001 and ControlSet002.
-You can navigate down either of these paths or substitute the CurrentControlSet subkey in their place. Once you have navigated to the
-HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations subkey,
-you will notice two additional subkeys. The RDP configuration settings are stored in the RDP-TCP subkey. Within this subkey you will find the value: PortNumber. The data stored within this value (0x22B8) is a hexidecimal value. You will need to convert this value to find the correct answer of 8888.
-
-What executables are being launched from the Run subkey under the HKCU hive?
-In order to answer this question, you will need to determine the registry path to the Run under the HKCU root key. There are a couple of methods you can use to accomplish this.
-regfind -n -h HKCU Run
-The first method would be to run the regfind -n Run command. This command will search the entire registry for instances of subkeys and values named Run. If you choose this method, you will need to search through a lengthy return to locate the Run under HKCU. You could also run this command with the -h HKCU switch. This directs reg query to begin its search at the HKCU root key. This query will enable you to discover the registry path to the Run key. Then simply perform the following registry query:
-reg query hkcu\software\microsoft\windows\currentversion\run
- Another method is to execute the command:
-reg query hkcu\software /s and pipe its output into the find command searching for all instances of Run. Your syntax will look like
-reg query hkcu /s | find "Run"
-The /s switch tells the command to query all subkeys and values. This will provide you with the complete path to the Run key: hkcu\software\microsoft\windows\currentversion\run.
-The final method to use would be to use the Registry Keys reference under the Help tab to identify the path to the Run subkey and directly query its contents.
-
-SharedAccess is the registry key under HKLM that stores Windows firewall settings. Using this information, which ports are explicitly disabled by the Windows firewall?
-locate where in the registry the SharedAccess subkey
-regfind -n SharedAccess.
-query for the contents of the subkey using the following command syntax:
-reg query hklm\system\currentcontrolset\services\sharedaccess.
-The settings you are looking for are stored under the parameters subkey. Query for the contents of this subkey using the following command syntax:
-reg query hklm\system\currentcontrolset\services\sharedaccess\parameters.
-Under this subkey, you will find another subkey called FirewallPolicy. Query for the contents of this subkey using the following command syntax:
-reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy.
-Under this subkey, you will find the subkeys named DomainProfile and StandardProfile. The information you are seeking is stored under the StandardProfile subkey. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile.
-Under this subkey, you will find two additional subkeys named AuthorizedApplications and GloballyOpenPorts. The information you are seeking is stored under the GloballyOpenPorts subkey. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports.
-Under this subkey, you will find the subkey titled List. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list.
-This query returned a listing of the ports that are configured as either Enabled or Disabled. Compare the values listed in the registry key with the possible answers, selecting those answers that match the ports that are configured as Disabled.
-Question 5
-SharedAccess is the registry key under HKLM that stores Windows firewall settings. Using this information, which applications are enabled under the StandardProfile subkey? (Select all that apply.)
-
-Missed 2 out of 3 correct answers
-
-Your answer(s):
- tlntsvr.exe
-
-Feedback:
-To correctly answer this question, you will need to perform the following:
-
-Using the path to the StandardProfile you discovered in the previous question, query for the contents of this key using the following command: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile.
-Under this subkey, you will find two subkeys named AuthorizedApplications and GloballyOpenPorts. The information you are seeking is stored under the AuthorizedApplications subkey. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications.
-Under this subkey, you will find the subkey titled List. Query for the contents of this subkey using the following command syntax: reg query hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list.
-Demonstrate the use of the Command-Line Registry Editor to View Analyze, Modify, and Create Registry Entries
-Question 1
-Within the registry of the remote machine, create a new binary value and Modify/Delete the binary data values in the RunOnce subkey under the HKLM hive, according to the following instructions.
-Create a new binary value with the following information:
-Value Name = Test3
-Value Data = aaaaaaaaaa
-MODIFY the BINARY data stored in Test1 to have Value Data = bbbbbbbbbb
-DELETE the BINARY VALUE for Test2
-
-
-Create the value Test3 in the RunOnce subkey of HKLM using the following command:
- reg add hklm\software\microsoft\windows\currentversion\runonce /v Test3 /t REG_BINARY /d aaaaaaaaaa.
-NOTE: Use the Registry Keys reference under the Help tab to identify the path to the RunOnce subkey.
-Modify the binary value of Test1 using the following command:
-reg add hklm\software\microsoft\windows\currentversion\runonce /v Test1 /t REG_BINARY /d bbbbbbbbbb
-Delete the binary value for Test2 using the following command:
-reg delete hklm\software\microsoft\windows\currentversion\runonce /v Test2
\ No newline at end of file
windows/meta/registry.csv
@@ -0,0 +1,48 @@
+# root keys
+[T/F] HKEY_CURRENT_USER is a default registry root key.,T,win_registry
+[T/F] HKEY_USERS is a default registry root key.,T,win_registry
+[T/F] HKEY_CLASSES_ROOT is a default registry root key.,T,win_registry
+[T/F] HKEY_LOCAL_MACHINE is a default registry root key.,T,win_registry
+[T/F] HKEY_CURRENT_CONFIG is a default registry root key.,T,win_registry
+
+# not root keys
+[T/F] HKEY_CURRENT_ADMIN is a default registry root key.,F,win_registry
+[T/F] HKEY_GROUPS is a default registry root key.,F,win_registry
+[T/F] HKEY_CLASSES_ADMIN is a default registry root key.,F,win_registry
+[T/F] HKEY_LOCAL_COMPUTER is a default registry root key.,F,win_registry
+[T/F] HKEY_CURRENT_CONF is a default registry root key.,F,win_registry
+[T/F] HKEY_PERFORMANCE_METRICS is a default registry root key.,F,win_registry
+
+# root key abbrevs
+The alias for HKEY_CURRENT_USER is [?],HKCU,win_registry
+The alias for HKEY_USERS is [?],HKU,win_registry
+The alias for HKEY_CLASSES_ROOT is [?],HKCR,win_registry
+The alias for HKEY_LOCAL_MACHINE is [?],HKLM,win_registry
+The alias for HKEY_CURRENT_CONFIG is [?],HKCC,win_registry
+
+# reg value data type
+[T/F] REG_BINARY is a valid registry value data type.,T,win_registry
+[T/F] REG_DWORD is a valid registry value data type.,T,win_registry
+[T/F] REG_QWORD is a valid registry value data type.,T,win_registry
+[T/F] REG_EXPAND_SZ is a valid registry value data type.,T,win_registry
+[T/F] REG_FULL_RESOURCE_DESCRIPTOR is a valid registry value data type.,T,win_registry
+[T/F] REG_LINK is a valid registry value data type.,T,win_registry
+[T/F] REG_MULTI_SZ is a valid registry value data type.,T,win_registry
+[T/F] REG_NONE is a valid registry value data type.,T,win_registry
+[T/F] REG_RESOURCE_LIST is a valid registry value data type.,T,win_registry
+[T/F] REG_RESOURCE_REQUIREMENTS_LIST is a valid registry value data type.,T,win_registry
+[T/F] REG_SZ is a valid registry value data type.,T,win_registry
+
+# not reg value data type
+[T/F] REG_HEX is a valid registry value data type.,F,win_registry
+[T/F] REG_32WORD is a valid registry value data type.,F,win_registry
+[T/F] REG_64WORD is a valid registry value data type.,F,win_registry
+[T/F] REG_EXPAND_STRING is a valid registry value data type.,F,win_registry
+[T/F] REG_RESOURCE_DESCRIPTOR is a valid registry value data type.,F,win_registry
+[T/F] REG_SYMLINK is a valid registry value data type.,F,win_registry
+[T/F] REG_MULTI_STRING is a valid registry value data type.,F,win_registry
+[T/F] REG_NULL is a valid registry value data type.,F,win_registry
+[T/F] REG_RESOURCE_ARRAY is a valid registry value data type.,F,win_registry
+[T/F] REG_RESOURCE_REQUIREMENTS_ARRAY is a valid registry value data type.,F,win_registry
+[T/F] REG_STRING is a valid registry value data type.,F,win_registry
+
windows/meta/registry.md
@@ -5,35 +5,6 @@ title: "Windows Registry"
---
-## Common tasks
-
-* Find current or last known good settings in Registry:
- * reg query hklm\system\select - shows all 4 options Last Good Known,if 0x1 points to ControlSet001, 0x2 points to ControlSet002
-* Find a registry Key for SAM:
- * reg query HKLM\sam\sam\domains\account (shows all /v looks for a value i.e. /v v shows machine SID)
-* Create a registry entry on a remote host:
- * reg add \\xp.ops.local\HKLM\Software\hawkeye
- * reg query \\xp.ops.local\HKLM\Software\hawkeye
-* Check for all subkeys and values in a registry location:
- * reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons /s
-* Find a specific value:
- * reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103}
-* Change a registry value 0 in this example chaning the GUID value:
- * 1st step - query the value to see what the value type is, then add using /t for type and /d for data
- * reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel /v {450D8FBA-AD25-11D0-98A8-0800361B1103} /t REG_DWORD /d 0x0
-* Find registy entries:
- * regfind -y sets case insensitive
- * regfind "192.168.11.12" - searches just the path
- * regfind -n "registeredOwner" - registry keys, and values
- * handle -?
-* Find a hotfix install date:
- * regfind "KB905474" to get the path (in this example, KB is for WGA)
- * regquery "hklm\software\microsoft\winodws\currentversion\uninstall\wganotify"
-* PowerShell Registry:
- * 'Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - item will only show the last entry setting i.e version
- * 'get-childitem registry::hklm\software - gets all registry keys in software hive - (hard to read all)
- * 'get-childitem registry::hklm\SAM\SAM\Domains\Account - will show all entries in Account and below
-
### Registry Root Keys [3]
| Root Key | Abbrv. | Description | Link (Alias) |
@@ -82,6 +53,122 @@ title: "Windows Registry"
0. During logon
0. During application startup
+## Common tasks
+
+#### FIND A SERIVCE PACK DATE
+
+ ``` none
+ # results show entry is in CSDVersion Hex value show SP 9x0300 SP3, 0x0100 SP1
+ regfind "Service Pack 3"
+ reg query HKLM\System\CurrentControlSet\Control\Windows
+ ```
+
+#### FIND USERS BY SID
+ ``` none
+ reg query "hklm\software\microsoft\windows nt\currentversion\profilelist"
+ wmic useraccount list brief
+ ```
+
+#### FIND USERS CURRENTLY LOGGED ON SYSTEM
+ ``` none
+ # look for name pairs SID and classes - convert SID to name
+ reg query HKLM\System\CurrentControlSet\Control\Hivelist
+ psgetsid <SID>
+ wmic useraccount list brief - gives all user inlcuding not logged in
+ wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
+ ```
+
+#### FIND ALL USERS ON A HOST
+ ``` none
+ reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users\names
+ # show RID of users (note this is not the next available RID)
+ reg query HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\users -
+ ```
+
+#### FIND THE LAST PERSON TO LOGIN (UNDER THE DEFAULTUSERNAME)
+ ``` none
+ reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
+ ```
+
+#### FIND STARTUP PROGRAMS IN REGISTRY
+
+ * **RunServiceOnce** subkey: designed to start service programs before user logs on and before other registry subkeys start.
+
+ ``` none
+ # keys may not exist
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+ ```
+
+ * **RunServices** subkey: loads immediately after RunServicesOnce and before user logon.
+
+ ``` none
+ Reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices (key may not exist)
+ ```
+
+ * **Run** subkey: The Run subkey in HKLM runs immediately before the Run subkey in HKCU.
+
+ ``` none
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
+ ```
+
+ * **RunOnce** subkey: primarily used by Setup programs. The HKLM subkey version of RunOnce runs programs immediately after logon and before other registry Run entries. The HKCU subkey version of RunOnce runs programs after Run subkeys and after the Startup folder.
+
+ ``` none
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx # XP only
+ ```
+
+ * **RunOnce**\**Setup** subkey: specifies programs to run after the user logs on Explorer\Run subkey:
+
+ ``` none
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+ reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+ ```
+
+ * **Userinit** subkey: there is an entry for userinit.exe but subkey can accept multiple comma-separated values. Can't find where program starting? Look here.
+
+ ``` none
+ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
+ ```
+
+ * Programs that start from **Appinit_DLL** registry setting (Can be malicious)
+
+ ``` none
+ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\windows" /v AppInit_DLLs
+ ```
+
+ * Other locations for specific startup
+
+ ``` none
+ reg query "HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" /v StartupPrograms
+ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
+ reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
+ reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
+ ```
+
+### Find the Current Control Set and Last Good Known
+
+ ``` none
+ reg query HKLM\system\Select - Hex value shows the control set
+ ```
+
+### Find the Computer name
+
+ ``` none
+ reg query "HKLM\System\ControlSet001\Control\computername\activecomputername"
+ reg query "HKLM\System\CurrentControlSet\Control\Session Manager\FileRenameOperations"
+ reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows"
+ ```
+
+### Find the Default User Name
+ ``` none
+ reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
+ ```
+
## Additional Info:
* [Windows Internals Part 1](http://materias.fi.uba.ar/7508/WI6/Windows%20Internals%20Part%201%20(6th%20Edition).pdf
windows/meta/releases.csv
@@ -0,0 +1,35 @@
+Windows 10 = NT [?],10.0,windows_releases
+Windows Server 2016 = NT [?],10.0,windows_releases
+Windows 8.1 = NT [?],6.3,windows_releases
+Windows Server 2012 R2 = NT [?],6.3,windows_releases
+Windows 8 = NT [?],6.2,windows_releases
+Windows Server 2012 = NT [?],6.2,windows_releases
+Windows 7 = NT [?],6.1,windows_releases
+Windows 2008 R2 = NT [?],6.1,windows_releases
+Windows Vista = NT [?],6.0,windows_releases
+Windows Server 2008 = NT [?],6.0,windows_releases
+Windows XP Professional x64 = NT [?],5.2,windows_releases
+Windows Server 2003 R2 = NT [?],5.2,windows_releases
+Windows Server 2003 = NT [?],5.2,windows_releases
+Windows XP = NT [?],5.1,windows_releases
+Windows ME = [?],4.9,windows_releases
+Windows 2000 = NT [?],5.0,windows_releases
+Windows 98 = [?],4.10,windows_releases
+Windows 95 = [?],4.00,windows_releases
+NT 10.0 = Windows [?],10,windows_releases
+NT 10.0 = Windows Server [?],2016,windows_releases
+NT 6.3 = Windows [?],8.1,windows_releases
+NT 6.3 = Windows Server [?],2012 R2,windows_releases
+NT 6.2 = Windows [?],8,windows_releases
+NT 6.2 = Windows Server [?],2012,windows_releases
+NT 6.1 = Windows [?],7,windows_releases
+NT 6.1 = Windows Server [?],2008 R2,windows_releases
+NT 6.0 = Windows [?],Vista,windows_releases
+NT 6.0 = Windows Server [?],2008,windows_releases
+NT 5.2 = Windows [?],XP Professional x64,windows_releases
+NT 5.2 = Windows Server [?] (and R2),2003,windows_releases
+NT 5.1 = Windows [?],XP,windows_releases
+NT 5.0 = Windows [?],2000,windows_releases
+4.10 = Windows [?],98,windows_releases
+4.9 = Windows [?],ME,windows_releases
+4.00 = Windows [?],95,windows_releases