Windows Registry - O-LavenderAshburn/Knowledgebase_MalwareAnalysis GitHub Wiki

Windows Registry & Registry Keys

The Windows Registry is a central hierarchical database used by Microsoft Windows to store configuration settings and options for the operating system and installed applications.

The registry is organized into keys and values.

Root keys

• HKEY_LOCAL_MACHINE (HKLM) – System-wide settings.

• HKEY_CURRENT_USER (HKCU) – Settings specific to the currently logged-in user.

• HKEY_CLASSES_ROOT (HKCR) – Info about file associations and COM objects.

• HKEY_USERS (HKU) – All user profiles on the machine.

• HKEY_CURRENT_CONFIG (HKCC) – Info about current hardware profile.

Registry Functions

The registery can be queried and modified via Windows API calls in languages such as C and C++. Some common API calls are as follows.

• RegOpenKeyEx() – open a registry key
• RegCreateKeyEx() – create a new key
• RegSetValueEx() – write a value
• RegDeleteValue() – delete a value
• RegCloseKey() – close the registry handle

More Registry key api calls can be found on Microsofts Winreg.h documentation

Significance To Malware

The registry's critical importance to system operation makes it an ideal target for malware authors looking to establish a foothold on a system, maintain persistence, and evade detection.

Auto Run Entries

Malware authors frequently add entries to specific registry keys to achieve persistence and automatically launch malicious code when a system starts. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run are common for auto run malware.

Security Setting Modification

Malware authors can disable security features such as Windows Defender by editing HKLM\SOFTWARE\Policies\Microsoft\Windows Defender or other security settings through the Windows Registry.