Link to this headingWindows Registry

Tool to better view the registry

Link to this headingHives

These are the Root Directories of the Registry. Ex. HKEY_LOCAL_MACHINE

The full list of these can be found at HKLM\SYSTEM\CurrentControlSet\Control\hivelist

Link to this headingHKEY_LOCAL_MACHINE

  • Contains machine-wide information
  • Some Hardware details are generated on boot and kept in memory only

HKLM\System\CurrentControlSet\Services: Location of Installed services and device drivers

HKLM\SAM: local security policy
HKLM\SECURITY: local accounts information
HKLM\BCD00000000: Boot Configuration Data (BCD), normally accessed using the bcdedit.exe tool.

Link to this headingHKEY_USERS

HKEY_USERS\SYSTEM: (S-1-5-18)
HKEY_USERS\LocalService: (S-1-5-19)
HKEY_USERS\NetworkService: (S-1-5-20)
HKEY_USERS{SID_USERNAME}: Gets SID like (S-1-5-21-2501640473-3192852522-2040178475-1001)
HKEY_USERS{SID_USERNAME}_Clases: Gets SID like (S-1-5-21-2501640473-3192852522-2040178475-1001)

Link to this headingHKEY_CURRENT_USER

This is a link key, pointing to the user’s SID under HKEY_USERS running the current process. For example if the regedit is opened by the SYSTEM account then it will link to HKEY_USERS\SYSTEM.

Link to this headingHKEY_CLASSES_ROOT

Is technically not a hive but a combination of two links together HKLM\Software\Classes and HKCU\Software\Classes.

  • The initial is taken from the Local Machine Classes but are overwritten by the Current User Classes
  • This contains information about the Shell extensions and File extension associations

Link to this headingHKEY_CURRENT_CONFIG

This is a link to HKLM\SYSTEM\CurrentControlSet\Hardware\Profiles\Current

Link to this headingHKEY_PERFORMANCE_DATA

Backwards compatible Hive for pre Windows 2000 Performance Counter information

Link to this headingHidden Registry

How to view the parts of the registry that are not accessible to regedit

Link to this headingInteresting Locations

Bypass Group Policy with RegEdit:
Bypass Windows 10 User Group Policy (and more) with this One Weird Trick

Proxy Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
Proxy settings

1Disable annoying GWX “Get Windows 10” icon:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v DisableGwx /t REG_DWORD /d "00000001" /f

Disable smbv1:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"

Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

UAC enabled ?

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA EnableLUA REG_DWORD 0x0 // NO EnableLUA REG_DWORD 0x1 // YES

SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty clear text proxy credentials:
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Search the registry - copy (pipe) to the clipboard (optional)

reg query HKLM /f password /t REG_SZ /s [ |clip] reg query HKCU /f password /t REG_SZ /s [ |clip]

Change the upnp service binary

sc qc upnphostsc config upnphost binpath= "net user /add" sc config upnphost obj= ".\LocalSystem" password ="" net stop upnphost net start upnphost

Disable Short Names:

HKLM/SYSTEM/CurrentControlSet/ControlFile/System/NtfsDisable8dot3NameCreation =1