Vulnarex | Elite Cybersecurity Learning Platform

#The Registry Is a Database of Backdoors—Lock It or Lose It#link

Malware persists by dropping entries in Run keys, modifying LSA authentication packages, and disabling UAC via registry. The Windows registry is the control panel for system behavior; hardening it is not optional. This lesson targets the most abused registry paths—LSA, UAC, AutoRun, Winlogon, and Image File Execution Options—and shows how to secure them using GPO, PowerShell, and manual ACLs.

Protecting LSA and Authentication Settings

The HKLM\SYSTEM\CurrentControlSet\Control\Lsa key holds critical settings: LimitBlankPasswordUse, RunAsPPL (LSA protection as protected process light), and Security Packages. Attackers add custom authentication packages (e.g., a malicious SSP) to capture credentials. Hardening: enable LSA protection (RunAsPPL=1), restrict access to the LSA registry key with ACLs (only SYSTEM and Administrators), and monitor for new entries.

powershell

# Enable LSA protection via registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 -Type DWord
# Additionally, set LSA protection via GPO: Computer Configuration\Admin Templates\System\Local Security Authority

After setting and rebooting, LSA will run as a protected process, making it much harder for tools like Mimikatz to read its memory.

UAC and Secure Desktop Registry Keys

UAC settings are under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. Key values: EnableLUA (must be 1), ConsentPromptBehaviorAdmin (2=prompt for consent), PromptOnSecureDesktop (1=enabled). In the same path, FilterAdministratorToken (for built-in admin approval mode) and EnableInstallerDetection ensure UAC is comprehensive. GPO is the preferred enforcement method, but verifying registry values after deployment is essential.

Registry Key	Recommended Value	Effect
HKLM\...\Policies\System\EnableLUA	1	Enables UAC
HKLM\...\Policies\System\ConsentPromptBehaviorAdmin	2	Prompt for consent (default)
HKLM\...\Policies\System\PromptOnSecureDesktop	1	Isolate prompt from keystroke loggers
HKCU\...\Policies\System\DisableRegistryTools	1 (for restricted users)	Prevents regedit use

AutoRun and Persistence Mechanisms

The classic Run and RunOnce keys in HKLM and HKCU, the Winlogon\Shell replacement, and the AppInit_DLLs are all abused for persistence. Hardening: remove write access for non-admins from these registry keys (use Set-Acl or GPO registry preferences). Additionally, enable AppLocker or WDAC to prevent unauthorized executables from even running if they get written.

▪Set RunAsPPL=1 and restrict LSA registry key ACLs to SYSTEM and Administrators.
▪Verify UAC registry values match the GPO configuration; deny write to non-admins.
▪Audit Run/RunOnce/Winlogon keys regularly; use GPO to remove write permissions for Users.
▪Combine registry hardening with WDAC to block unsigned persistence binaries.

STRICT SECURE AUDIT RULE

⚠️ The Winlogon\Shell key controls what runs as the user interface. If an attacker replaces explorer.exe with a malicious binary, it runs at user logon. Set the ACL to Read only for non-admins.

quiz BLOCK (★ 50 XP)

How does setting RunAsPPL=1 protect against credential theft?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Registry ACL Hardening