Skip to content

Registry

Windows Registry

Tool to better view the registry

Hives

These are the Root Directories of the Registry. Ex. HKEY_LOCAL_MACHINE

The full list of these can be found at HKLM\SYSTEM\CurrentControlSet\Control\hivelist

HKEY_LOCAL_MACHINE

  • Contains machine-wide information
  • Some Hardware details are generated on boot and kept in memory only

HKLM\System\CurrentControlSet\Services: Location of Installed services and device drivers

HKLM\SAM: local security policy
HKLM\SECURITY: local accounts information
HKLM\BCD00000000: Boot Configuration Data (BCD), normally accessed using the bcdedit.exe tool.

HKEY_USERS

HKEY_USERS\SYSTEM: (S-1-5-18)
HKEY_USERS\LocalService: (S-1-5-19)
HKEY_USERS\NetworkService: (S-1-5-20)
HKEY_USERS{SID_USERNAME}: Gets SID like (S-1-5-21-2501640473-3192852522-2040178475-1001)
HKEY_USERS{SID_USERNAME}_Clases: Gets SID like (S-1-5-21-2501640473-3192852522-2040178475-1001)

HKEY_CURRENT_USER

This is a link key, pointing to the user’s SID under HKEY_USERS running the current process. For example if the regedit is opened by the SYSTEM account then it will link to HKEY_USERS\SYSTEM.

HKEY_CLASSES_ROOT

Is technically not a hive but a combination of two links together HKLM\Software\Classes and HKCU\Software\Classes.
- The initial is taken from the Local Machine Classes but are overwritten by the Current User Classes
- This contains information about the Shell extensions and File extension associations

HKEY_CURRENT_CONFIG

This is a link to HKLM\SYSTEM\CurrentControlSet\Hardware\Profiles\Current

HKEY_PERFORMANCE_DATA

Backwards compatible Hive for pre Windows 2000 Performance Counter information

Hidden Registry

How to view the parts of the registry that are not accessible to regedit

Interesting Locations

Bypass Group Policy with RegEdit:
https://medium.com/tenable-techblog/bypass-windows-10-user-group-policy-and-more-with-this-one-weird-trick-552d4bc5cc1b

Proxy Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
Proxy settings

1Disable annoying GWX "Get Windows 10" icon:

reg add  "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v DisableGwx  /t REG_DWORD /d "00000001" /f

Disable smbv1:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"

Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

UAC enabled ?

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
    EnableLUA    REG_DWORD    0x0  // NO
    EnableLUA    REG_DWORD    0x1  // YES

SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty clear text proxy credentials:
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Search the registry - copy (pipe) to the clipboard (optional)

reg query HKLM /f password /t REG_SZ /s [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]

Change the upnp service binary

sc qc upnphostsc config upnphost binpath= "net user /add"
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost

Disable Short Names:

HKLM/SYSTEM/CurrentControlSet/ControlFile/System/NtfsDisable8dot3NameCreation =1