Windows Registry - PimmyTrousers/Cooking-Recipes GitHub Wiki

OVERVIEW:

“The Windows registry is the brain of the windows operating system”

  • Hierarchical database
    • Stores configuration options for everything in windows
    • Except for
      • .NET Framework apps (they use XML)
      • Portable apps, where config is kept within the files the app executes from
  • Designed for speed, efficiency and small size (15-20MB) ALWAYS in RAM
  • The registry contains keys and values
    • Registry Keys are container objects, similar to folders
    • Registry Values are non-container objects, similar to files
  • Types of data in registry
    • String Values (unicode)
    • Binary data
    • Unsigned ints
    • Symbolic links
    • Multi-string values
    • Resource list (plug and play hardware)
    • Resource descriptor (p&p hardware)
    • 64 bit-integers

Root Keys:

  • (HKLM) HKEY_LOCAL_MACHINE
    • Info about hardware installed, software settings, and more
    • subkeys:
      • SAM (security accounts manager)
      • Contains usernames, passwords, groups, security descriptors
      • Passwords stored as hashes
    • Security
      • Security-related information
    • System
    • Software
      • Third party software settings are stored
    • Hardware
      • Created dynamically during boot,
      • Info about hardware, plug and play devices, etc.
    • Components
    • BCD.dat
      • Boot information
  • (HKCC) HKEY_CURRENT_CONFIG
    • Info about hardware, plug and play, drivers etc.
  • (HKCR) HKEY_CLASSES_ROOT
    • Alias or reference to HKLM\Software\Classes
    • Data related to applications, shortcuts, file extension associations
    • Contains info about registered applications, files, associations
  • (HKCU) HKEY_CURRENT_USER
    • User-specific registry data, retrieved at startup for the current user
  • (HKU) HKEY_USERS
    • Contains subkeys corresponding to HKEY_CURRENT_USERS for other users that are logged in
    • Usually is a mirror of HKEY_CURRENT_USER, if no other users are logged in
  • HKEY_PERFORMANCE_DATA
    • Provides runtime information into performance data

Hive Locations:

  • Not all registry hives are stored on disk
  • In windows NT system registry files are in ROOT\System32\Config
  • NTuser.dat files are in the corresponding user’s profile %UserProfile%
  • %SystemDrive%\Boot OR %SystemDrive%\EFI\Microsoft\Boot → BCD.dat

Software to Manage the Registry:

  • Regshot (https://sourceforge.net/projects/regshot/)
    • Takes a snapshot of directories and the registry which can be compared to later snapshots
      • Shows all changes to registry, software installed, etc.
  • Registrar by Resplendence
    • Allows for easier search and editing of the registry, gives us a lot more power to change things

Changing Reg Values:

  • Messed up registry values can fuck the whole system, requiring a reinstallation of the operating system.
  • Before editing anything, BACKUP
    • Right Click the key → export
    • Left click the key → file → export
    • Also can create a manual restore point
  • Regedit allows you to modify registry values
    • Ctrl+f to search for specific things
    • Be certain about what you are doing if you are going to mess with values
  • “Reg” command for cmd.exe
    • Reg add, compare, copy, delete, export, import, load, query, restore, save, unload
      • Use “reg /? “For help
    • These give us the ability to query and change registry values from the command line, but we should just use software with a GUI instead because the registry is very vast.
    • We can/should just use Registrar to change registry values

Values we should check:

  • Make sure UAC is on
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • Value: EnableLUA → set value to 1 (default)
    • Keeps UAC(user account control) turned on
  • Make sure Auto Update is on
    • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
    • Value: NoAutoUpdate → set to 0
  • Disable auto-admin login
    • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
    • Set to 0 (if this is turned on (1), it stores the password in plaintext in the registry)
    • Makes sure people have to log on when the computer starts
  • Enable secure logon
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Value: DisableCAD → set to 0
    • requires users to press Ctrl-Alt-Delete to initiate login process
  • Check things that are run on startup
    • HKLM\software\microsoft\windows\currenversion\run
    • “ “\runonce
    • HKCU\” “\run
    • HKCU\” “\runonce
  • Enable Windows Defender Controlled Folder Access (windows 10)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exploit Guard\Controlled Folder Access
  • EnableControlledFolderAccess → set to 1
  • Enables Windows Defender Controlled Folder Access

Restore Points:

  • (used to backup and restore the state of the registry)

  • Control panel → System and Security → System → System protection

  • Turn on System Protection

  • Raise max usage to allow for more registry backups ( 20% is pretty good )

    • Can also delete previous restore points to make more space

  • Backup C drive (that’s where the registry is)

  • Automatically Created:

    • Whenever software is installed using Windows Installer, Package Installer, or other installers which are aware of System Restore.
      • When using a different installer, make a manual restore point
    • When windows update install new updates
    • When the user installs a driver that is not digitally signed
    • Windows vista --> every 24 hours of computer use
    • Windows 7, once every seven days

  • Can also be made manually through system protection

  • Saved in C:/System Volume Information

  • Approved tools Microsoft allows us to use to modify the registry(besides regedit)

    • Control Panel
    • Action Center (security and maintenance)
    • Color Management
    • Device Manager
    • File History
    • Homegroup
    • Keyboard
    • Mouse
    • Nvidia nView Desktop Manager
    • Programs and Features
    • Sound
    • System
    • Windows Defender
    • Work Folders
    • Administrative Tools
    • Credential Manager
    • Devices and Printers
    • Flash Player(32-Bit)
    • Indexing Options
    • Language
    • Network and Sharing Center
    • Personalization
    • Recovery
    • Speech Recognition
    • Taskbar and Navigation
    • Windows Firewall
    • Autoplay
    • Date and Time
    • Display
    • Folder Options
    • Internet Options
    • Location Settings
    • Notification Area icons
    • Phone and Modem
    • Region
    • Storage Spaces
    • Troubleshooting
    • Windows To Go
    • BitLocker Drive Encryption
    • Default Programs
    • Ease of Access center
    • Fonts
    • Java
    • Mail
    • Nvidia Control Panel
    • Power options
    • RemoteApp and desktop connections
    • Sync Center
    • User accounts
    • Windows Update