Scribd
Upload
172 views27 pages

Understanding Windows Registry Root Keys

The document discusses the Windows Registry, which stores configuration settings and options for Windows and programs. It notes that the Registry is organized hierarchically with root keys and subkeys that can contain value entries with a name and data. Common root keys and functions for accessing and modifying the Registry are described. The document also explains how malware can abuse the Registry to persist on systems or gather information.

Uploaded by

Mahmoud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
172 views27 pages

Understanding Windows Registry Root Keys

The document discusses the Windows Registry, which stores configuration settings and options for Windows and programs. It notes that the Registry is organized hierarchically with root keys and subkeys that can contain value entries with a name and data. Common root keys and functions for accessing and modifying the Registry are described. The document also explains how malware can abuse the Registry to persist on systems or gather information.

Uploaded by

Mahmoud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Computer Security

Windows Registry

Eng. Mahmoud Al-Hoby 1


Windows Registry
• Windows registry is used to store different configurations for
Windows OS and the different Programs that run on it.

• Its represented as a hierarchical database of


• Computer System settings
• Hardware Configurations
• User preferences.

Eng. Mahmoud Al-Hoby 2


Windows Registry
• The registry is divided into five top-level sections called Root keys.
Sometimes, the terms HKEY and Hive are also used.

• Each Root Key contains a collection of Sub-Keys, which is similar to a


subfolder within a folder. Any Sub-Key can also contain other Sub-Keys

• A Value Entry is an ordered pair with a name and value.

• The value or data is the data stored in a registry entry.


Eng. Mahmoud Al-Hoby 3
Registry Root-Keys
• HKEY_LOCAL_MACHINE: Stores settings that are global to the local machine

• HKEY_CURRENT_USER: Stores settings specific to the current user.

• HKEY_CLASSES_ROOT: Stores information defining types

• HKEY_CURRENT_CONFIG: Stores settings about the current hardware configuration,


specifically differences between the current and the standard configuration

• HKEY_USERS Defines settings for the default user, new users, and current
• users

Eng. Mahmoud Al-Hoby 4


Registry Root-Keys

Eng. Mahmoud Al-Hoby 5


• The two most commonly used root keys are:
• (HKEY_LOCAL_MACHINE) Commonly Known as HKLM
• (HKEY_CURRENT_USER) Commonly Known as HKCU

• Some keys are actually virtual keys that provide a way to reference the
underlying registry information.
• KEY_CURRENT_USER  HKEY_USERS\SID, where SID is the security identifier of the
user currently logged in.

• The Registry Editor (Regedit), shown previously, is a built-in Windows tool,


that can be used to view and edit the registry.
Eng. Mahmoud Al-Hoby 6
Values (Name, Data)

Value Type
Root-Keys, Keys, and Sub-Keys
Eng. Mahmoud Al-Hoby 7
Programs that Run Automatically
• A Special Key in Registry is used, that contains the applications that
run automatically when Windows starts.

• While not a very stealthy technique, it is often used by malware to


launch itself automatically.

• The Key is Located at:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Eng. Mahmoud Al-Hoby 8


Registry Storage
• Registry hives are stored as files in Windows. The files are locked once
Windows loads and uses them.
• Files cannot be edited or viewed while Windows is Running

• The complete list of files is available at the registry itself, on a special


key called (hiveslist)
HKLM\SYSTEM\CurrentControlSet\Control\hivelist

Eng. Mahmoud Al-Hoby 9


Eng. Mahmoud Al-Hoby 10
Common Registry Functions
• RegCreateKeyEx: Creates the specified registry key. If the key already
exists, the function opens it.

Eng. Mahmoud Al-Hoby 11


Common Registry Functions
• RegOpenKeyEx: Opens a registry for editing and querying. There are
functions that allow you to query and edit a registry key without
opening it first, but most programs use RegOpenKeyEx anyway.

Eng. Mahmoud Al-Hoby 12


Common Registry Functions
• RegSetValueEx: Adds a new value to the registry and sets its data

Eng. Mahmoud Al-Hoby 13


Common Registry Functions
• RegGetValue: Returns the data for a value entry in the registry.

Eng. Mahmoud Al-Hoby 14


Registry Data-Types

Data-Type Description Value Indicator


String A Null-terminated string 1
Binary Raw Binary Data 3
DWORD 32-bit number 4
QWORD 64-bit number 11
Multi-String Array of null-terminated strings that are terminated by two null characters. 7
Expandable Null-terminated string that contains unexpanded references to environment 2
String variables (for example, "%PATH%")

Eng. Mahmoud Al-Hoby 15


Root-Keys Constants
Root-Key Constant in C# (Api)
HKEY_CLASSES_ROOT new IntPtr (2147483648)
HKEY_CURRENT_USER new IntPtr (2147483649)
HKEY_LOCAL_MACHINE new IntPtr (2147483650)
HKEY_USERS new IntPtr (2147483651)
HKEY_CURRENT_CONFIG new IntPtr (2147483653)
HKEY_DYN_DATA new IntPtr (2147483654)

Source:
[Link]

Eng. Mahmoud Al-Hoby 16


Security Access Rights
Access Type Value
KEY_ALL_ACCESS 0xF003F
KEY_CREATE_SUB_KEY 0x0004
KEY_ENUMERATE_SUB_KEYS 0x0008
KEY_EXECUTE or KEY_READ 0x20019
KEY_NOTIFY 0x0010
KEY_SET_VALUE 0x0002
KEY_WRITE 0x20006

Source:
[Link]

Eng. Mahmoud Al-Hoby 17


Malware and Windows Registry
• It is common for malware to access windows registry.

• Malware can use the registry to:


• Store Configuration Information,
• Gather Information About the System,
• Install itself persistently.

Eng. Mahmoud Al-Hoby 18


Common Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

• Contain the Values for application that start automatically when


Windows Starts.
• Structure:
• Name  Application Name Identifier
• Type  REG_SZ
• Data  Complete Path to the Executable

Eng. Mahmoud Al-Hoby 19


Common Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

• Contain a Special Value called “AppInit_DLLs”. Any DLL specified in the


data of this Value, will be loaded into every process that loads
[Link]

• Type  REG_SZ
• Data  Space-Delimited string of DLLs’ Paths

Eng. Mahmoud Al-Hoby 20


Common Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]

• Contain different values that instruct Windows to load certain applications


when a special logon event occurs. It can be used by malware to override
default system behavior

• Example, (Run a special program when Windows Starts)


• Name  Userinit
• Type  REG_SZ
• Data  Space-Delimited string of Executables that will run after user login

Eng. Mahmoud Al-Hoby 21


Practice
Adding a new Value to Auto-Runs in Registry
(Example 1  Using Windows Api)

Eng. Mahmoud Al-Hoby 22


Example (adding a Program to Startup)
Step (1) – Defining Api Functions
[DllImport("[Link]")]
public static extern long RegOpenKeyEx
(IntPtr hKey, string lpSubKey, long ulOptions, long samDesired, out IntPtr phkResult);

[DllImport("[Link]")]
public static extern int RegSetValueEx
(IntPtr hKey, string lpValueName, long Reserved, long dwType, string lpData, long cbData);

[DllImport("[Link]")]
public static extern long RegCloseKey
(IntPtr hKey);

Eng. Mahmoud Al-Hoby 23


Example (adding a Program to Startup)
Step (2) – Defining Parameters for the RegOpenKeyEx

IntPtr hKey = new IntPtr(0x80000002u);


string lpSubKey = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
long ulOptions = 0;
long samDesired = 0xF003F;
IntPtr keyHandle;

RegOpenKeyEx(hKey, lpSubKey, ulOptions, samDesired, out keyHandle);

Eng. Mahmoud Al-Hoby 24


Example (adding a Program to Startup)
Step (3) – Open The registry Key (for Autoruns)
string value = "MyProgramY";
long dwType = 1;
string data = @"D:\[Link] (Added using Windows Api)";
long cbData = [Link] + 1;

RegSetValueEx(keyHandle, value, 0, dwType, data, cbData);


RegCloseKey(keyHandle);

Complete Code will be uploaded to Moodle

Eng. Mahmoud Al-Hoby 25


Practice
Adding a new Value to Auto-Runs in Registry
(Example 2  Using .NET Framework)

Eng. Mahmoud Al-Hoby 26


string subkey = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
string value = "MyProgramY";
string data = @"Y:\[Link] (Added by .NET code)";
bool writable = true;

RegistryKey key = [Link](subkey, writable);


[Link](value, data, [Link]);
[Link]();

Eng. Mahmoud Al-Hoby 27

You might also like