Description

The registry database is the place where Windows stores information about the OS and the configuration. It is also used by applications, and by extension, malware, to store configuration information, and ensure persistence.

Structure

Root Keys and associated files

Root keys

The Windows Registry is split into 5 root keys:

HKEY_LOCAL_MACHINE (a.k.a. HKLM)

Stores settings that are global to the local machine

HKEY_CURRENT_USER (a.k.a. HKCU)

Stores settings specific to the current user

HKEY_CLASSES_ROOT

Stores information defining types

HKEY_CURRENT_CONFIG

Stores settings about the current hardware configuration, specifically differences beHKEY_LOCAL_MACHINE \SYSTEM : \system32\config\system

HKEY_USERS

Defines settings for the default user, new users, and current users

Note

Notice that HKEY_CURRENT_USER is actually a virtual key pointing to HKEY_USERS\SID, where SID is the security identifier of the user currently logged in.

Note

Some hives (e.g. HKLM\HARDWARE and HKLM\SYSTEM\Clone) are volatile and don't have associated files. The system creates and manages these hives entirely in memory; the hives are therefore temporary in nature. The system creates volatile hives every time the system boots.

Files

The Windows registry is stored as files, broken down as follows:

Tools

Access the registry database

Windows uses the regedit.exe tool to manage the registry database.

On Linux, you can use FRED to open registry files or regshell to remotely request a registry database.

List autorun keys

• Autoruns(c)