Windows

Notes

Registry

The Windows Registry is a collection of databases that contains the system's configuration data.
A Registry Hive is a group of Keys, subkeys, and values stored in a single file on the disk.
The registry on any Windows system contains the following five root keys:
- HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is currently logged on.
- HKEY_USERS: Contains all the actively loaded user profiles on the computer.
- HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any user).
- HKEY_CLASSES_ROOT: The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.
- HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the local computer at system startup.
The majority of the hives are located in the C:\Windows\System32\Config directory and are:
- DEFAULT (mounted on HKEY_USERS\DEFAULT)
- SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
- SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
- SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
- SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)
The other hives that contain user information are located in:
- C:\Users<username>\NTUSER.DAT (mounted on HKEY_CURRENT_USER when a user logs in)
- C:\Users<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES)
Another very important hive is called the AmCache hive, which is located in C:\Windows\AppCompat\Programs\Amcache.hve and contains information on programs that were recently run on the system.
The transaction logs can be considered as the journal of the changelog of the registry hive, which means that the transaction logs can often have the latest changes in the registry that haven't made their way to the registry hives themselves. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG.
Registry backups are the opposite of Transaction logs. These are the backups of the registry hives located in the C:\Windows\System32\Config directory. These hives are copied to the C:\Windows\System32\Config\RegBack directory every ten days.

Useful registry keys

NTUSER.DAT\Software\Microsoft\Office\VERSION - Office recent files
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - Recent files
SAM\Domains\Account\Users - Users
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Autoruns
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - Autoruns
SOFTWARE\Microsoft\Windows NT\CurrentVersion - OS version
SOFTWARE\Microsoft\Windows Portable Devices\Devices - USB device volume names
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName - Computer name
SYSTEM\CurrentControlSet\Enum\USB - USB devices information
SYSTEM\CurrentControlSet\Enum\USBSTOR - USB devices information
SYSTEM\CurrentControlSet\Control\TimeZoneInformation - Time zone information
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - Network interfaces

Resources

Articles

GitHub Repositories

Tools

TryHackMe Rooms

Websites

Windows Virtual Machines

PreviousWeb NextSelf Improvement

Last updated 2 months ago

Was this helpful?

Windows

Notes

Registry

The Windows Registry is a collection of databases that contains the system's configuration data.
A Registry Hive is a group of Keys, subkeys, and values stored in a single file on the disk.
The registry on any Windows system contains the following five root keys:
- HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is currently logged on.
- HKEY_USERS: Contains all the actively loaded user profiles on the computer.
- HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any user).
- HKEY_CLASSES_ROOT: The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.
- HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the local computer at system startup.
The majority of the hives are located in the C:\Windows\System32\Config directory and are:
- DEFAULT (mounted on HKEY_USERS\DEFAULT)
- SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
- SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
- SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
- SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)
The other hives that contain user information are located in:
- C:\Users<username>\NTUSER.DAT (mounted on HKEY_CURRENT_USER when a user logs in)
- C:\Users<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES)
Another very important hive is called the AmCache hive, which is located in C:\Windows\AppCompat\Programs\Amcache.hve and contains information on programs that were recently run on the system.
The transaction logs can be considered as the journal of the changelog of the registry hive, which means that the transaction logs can often have the latest changes in the registry that haven't made their way to the registry hives themselves. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG.
Registry backups are the opposite of Transaction logs. These are the backups of the registry hives located in the C:\Windows\System32\Config directory. These hives are copied to the C:\Windows\System32\Config\RegBack directory every ten days.

Useful registry keys

NTUSER.DAT\Software\Microsoft\Office\VERSION - Office recent files
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - Recent files
SAM\Domains\Account\Users - Users
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Autoruns
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - Autoruns
SOFTWARE\Microsoft\Windows NT\CurrentVersion - OS version
SOFTWARE\Microsoft\Windows Portable Devices\Devices - USB device volume names
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName - Computer name
SYSTEM\CurrentControlSet\Enum\USB - USB devices information
SYSTEM\CurrentControlSet\Enum\USBSTOR - USB devices information
SYSTEM\CurrentControlSet\Control\TimeZoneInformation - Time zone information
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - Network interfaces

Resources

Articles

- 0xdf
- Adam Toscher
- Active Directory Security
- Ruben Boonen, Fuzzy Security

GitHub Repositories

- Powershell tool to automate Active Directory enumeration
- Six Degrees of Domain Admin
- password recovery tool for Microsoft Operating Systems
- tool for enumerating data from Windows and Samba hosts
- A next generation version of enum4linux
- The ultimate WinRM shell for hacking/pentesting
- Just Another Windows (Enum) Script
- Another Windows Local Privilege Escalation from Service Account to System
- tool to perform Kerberos pre-auth bruteforcing
- A little tool to play with Windows security
- The swiss army knife of LSASS dumping
- Windows batch script that finds misconfiguration issues which can lead to privilege escalation
- Mimikatz implementation in pure Python
- Defeating Windows User Account Control
- Windows Privilege Escalation Techniques and Scripts

Tools

- Eric Zimmerman

TryHackMe Rooms

Websites

- Curated list of every binary, script, and library that can be used for Living Off The Land techniques
- Curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks
Windows Virtual Machines

PreviousWeb NextSelf Improvement

Last updated 2 months ago

Was this helpful?