The Windows Registry is a hierarchical database that stores virtually all operating system and application configuration settings. If the Windows file system is the body, the registry is the brain — it controls how the system boots, what services start, how applications behave, and where security policies are defined. Understanding the registry is non-negotiable for any Windows security professional.
In this lesson, you will learn the registry structure, key security-relevant locations, how attackers abuse the registry for persistence and privilege escalation, and how to monitor and defend it.
The registry is organized into five root keys (hives), each serving a distinct purpose:
| Hive | Abbreviation | Purpose | Security Relevance |
|---|---|---|---|
| HKEY_LOCAL_MACHINE | HKLM | System-wide hardware and software settings | Most security-critical hive; stores service configs, security policies, SAM data |
| HKEY_CURRENT_USER | HKCU | Settings for the currently logged-in user | User-specific autorun entries, application settings, user preferences |
| HKEY_CLASSES_ROOT | HKCR | File associations and COM object registration | COM hijacking, file association abuse for persistence |
| HKEY_USERS | HKU | All loaded user profiles | Can access other users' settings if permissions allow |
| HKEY_CURRENT_CONFIG | HKCC | Current hardware profile | Rarely targeted; hardware configuration data |
The registry is stored on disk as hive files in C:\Windows\System32\config\ (for HKLM hives) and in user profile directories (NTUSER.DAT for HKCU). These files can be analyzed offline, which is useful for forensic investigations.
Registry Hive Files on Disk:
C:\Windows\System32\config\SAM → HKLM\SAM (local user accounts)
C:\Windows\System32\config\SECURITY → HKLM\SECURITY (security policy)
C:\Windows\System32\config\SOFTWARE → HKLM\SOFTWARE (installed software)
C:\Windows\System32\config\SYSTEM → HKLM\SYSTEM (system configuration, services)
C:\Users\<username>\NTUSER.DAT → HKCU (current user settings)
C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat → HKCU\Software\ClassesThe most security-critical registry locations are the autorun (Run/RunOnce) keys. These keys specify programs that execute automatically at user logon or system startup. Attackers abuse these extensively for persistence — surviving reboots without needing to modify files on disk.
# Common autorun registry locations to audit
$autorunKeys = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",
"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
)
foreach ($key in $autorunKeys) {
Write-Host "\n=== $key ===" -ForegroundColor Cyan
Get-ItemProperty -Path $key -ErrorAction SilentlyContinue |
Select-Object * -ExcludeProperty PS* | Format-List
}⚠️ In the output above, 'SuspiciousApp' points to an executable in the user's Temp directory (C:\Users\jsmith\AppData\Local\Temp\update.exe). This is a strong indicator of malware persistence. Legitimate software almost never installs executables in the Temp folder. This should be investigated immediately — collect the file for analysis, check its hash against threat intelligence, and review other persistence mechanisms.
All Windows services are defined in the registry under HKLM\SYSTEM\CurrentControlSet\Services\. Each service has a subkey containing its configuration, including the path to its executable, its start type, and its logon account.
# Enumerate all services and their executable paths
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" |
Where-Object { $_.ImagePath -ne $null } |
Select-Object @{N='Service';E={$_.PSChildName}},
@{N='ImagePath';E={$_.ImagePath}},
@{N='StartType';E={$_.Start}},
@{N='ObjectName';E={$_.ObjectName}} |
Format-Table -AutoSize -Wrap
# Find services with unquoted service paths (privilege escalation vector)
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" |
Where-Object {
$_.ImagePath -and
$_.ImagePath -notmatch '^"' -and
$_.ImagePath -match ' ' -and
$_.ImagePath -notmatch 'system32'
} | Select-Object PSChildName, ImagePathUnquoted service paths are a classic privilege escalation vector. If a service executable path contains spaces and is not enclosed in quotes (e.g., C:\Program Files\My App\service.exe), Windows will try to execute C:\Program.exe, then C:\Program Files\Program.exe, then C:\Program Files\My\App\service.exe. If a low-privileged user can write to any of these locations, they can place a malicious executable that runs as the service account (often SYSTEM).
Many critical security policies are stored in the registry. Understanding these locations helps you assess the security posture of a Windows system:
| Registry Path | What It Controls | Security Impact |
|---|---|---|
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | UAC enabled (1) or disabled (0) | UAC disabled = major security weakness |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy | Admin token filtering for remote connections | Enabled (1) = remote admins get full token, not filtered |
| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel | NTLM authentication level | Lower levels allow weaker auth; level 5 is most secure |
| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec | Minimum NTLM security for clients | Controls requirements for NTLM session security |
| HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials | Credential delegation settings | Controls which servers can receive delegated credentials |
| HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal | Secure channel signing for domain auth | Should be required (1) to prevent NTLM relay |
# Check UAC status
$uac = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA"
if ($uac.EnableLUA -eq 1) { Write-Host "UAC is ENABLED" -ForegroundColor Green }
else { Write-Host "UAC is DISABLED - CRITICAL FINDING" -ForegroundColor Red }
# Check LSA protections
$lsa = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -ErrorAction SilentlyContinue
Write-Host "LM Compatibility Level: $($lsa.LmCompatibilityLevel)"
Write-Host "RunAsPPL (LSA Protection): $($lsa.RunAsPPL)"
# Check if LSASS is protected
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -ErrorAction SilentlyContinueJust like files and folders, registry keys have ACLs. Weak registry permissions are a common privilege escalation vector. An attacker with write access to a service's registry key can change the ImagePath to point to a malicious executable.
# Check permissions on a service's registry key
Get-Acl "HKLM:\SYSTEM\CurrentControlSet\Services\VulnService" |
Select-Object -ExpandProperty Access |
Format-Table IdentityReference, RegistryRights, AccessControlType
# Find registry keys where Users group has write access
# (This is a simplified example - full enumeration requires recursive checking)
Get-Acl "HKLM:\SYSTEM\CurrentControlSet\Services\*" |
ForEach-Object {
$key = $_.PSPath
$_.Access | Where-Object {
$_.IdentityReference -match "Users|Everyone|Authenticated Users" -and
$_.RegistryRights -match "WriteKey|FullControl|SetValue"
} | Select-Object @{N='Key';E={$key}}, IdentityReference, RegistryRights
}⚠️ Changing service ImagePath via the registry is a well-known privilege escalation technique. If a low-privileged user has write access to HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath, they can change it to a malicious executable. When the service starts, the attacker's code runs in the service's security context (often SYSTEM). Always audit service registry key permissions.
For defenders, registry monitoring is essential for detecting persistence, configuration changes, and lateral movement. Windows provides several mechanisms:
# Enable registry auditing via SACL (requires admin)
# First, enable object access auditing in Group Policy
# Then set SACL on the key:
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions
)
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAuditRule(
"Everyone", "SetValue", "ContainerInherit", "None", "Success,Failure"
)
$acl.AddAuditRule($rule)
$key.SetAccessControl($acl)
$key.Close()
# Query recent registry modification events from Sysmon
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=13} -MaxEvents 10 |
ForEach-Object { $_.Message }💡 Sysmon Event ID 13 (RegistryEvent) is one of the most valuable events for detecting persistence. Configure your Sysmon config (such as the popular SwiftOnSecurity config) to monitor autorun keys, service keys, and other sensitive registry locations. Combine this with a SIEM for alerting on suspicious modifications.
Verify exercises to earn ★ 130 XP and unlock next lab level.