Windows

Notes

Registry

The Windows Registry is a collection of databases that contains the system's configuration data.
A Registry Hive is a group of Keys, subkeys, and values stored in a single file on the disk.
The registry on any Windows system contains the following five root keys:
- HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is currently logged on.
- HKEY_USERS: Contains all the actively loaded user profiles on the computer.
- HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any user).
- HKEY_CLASSES_ROOT: The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.
- HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the local computer at system startup.
The majority of the hives are located in the C:\Windows\System32\Config directory and are:
- DEFAULT (mounted on HKEY_USERS\DEFAULT)
- SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
- SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
- SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
- SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)
The other hives that contain user information are located in:
- C:\Users<username>\NTUSER.DAT (mounted on HKEY_CURRENT_USER when a user logs in)
- C:\Users<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES)
Another very important hive is called the AmCache hive, which is located in C:\Windows\AppCompat\Programs\Amcache.hve and contains information on programs that were recently run on the system.
The transaction logs can be considered as the journal of the changelog of the registry hive, which means that the transaction logs can often have the latest changes in the registry that haven't made their way to the registry hives themselves. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG.
Registry backups are the opposite of Transaction logs. These are the backups of the registry hives located in the C:\Windows\System32\Config directory. These hives are copied to the C:\Windows\System32\Config\RegBack directory every ten days.

Useful registry keys

NTUSER.DAT\Software\Microsoft\Office\VERSION - Office recent files
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - Recent files
SAM\Domains\Account\Users - Users
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Autoruns
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - Autoruns
SOFTWARE\Microsoft\Windows NT\CurrentVersion - OS version
SOFTWARE\Microsoft\Windows Portable Devices\Devices - USB device volume names
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName - Computer name
SYSTEM\CurrentControlSet\Enum\USB - USB devices information
SYSTEM\CurrentControlSet\Enum\USBSTOR - USB devices information
SYSTEM\CurrentControlSet\Control\TimeZoneInformation - Time zone information
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - Network interfaces

Resources

Articles

Playing with PrintNightmare - 0xdf
Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher
Unofficial Guide to Mimikatz & Command Reference - Active Directory Security
Windows Privilege Escalation Fundamentals - Ruben Boonen, Fuzzy Security

GitHub Repositories

adPEAS - Powershell tool to automate Active Directory enumeration
BloodHound - Six Degrees of Domain Admin
Cain & Abel - password recovery tool for Microsoft Operating Systems
enum4Linux - tool for enumerating data from Windows and Samba hosts
enum4linux-ng - A next generation version of enum4linux
Evil-WinRM - The ultimate WinRM shell for hacking/pentesting
JAWS - Just Another Windows (Enum) Script
JuicyPotatoNG - Another Windows Local Privilege Escalation from Service Account to System
kerbrute - tool to perform Kerberos pre-auth bruteforcing
mimikatz - A little tool to play with Windows security
NanoDump - The swiss army knife of LSASS dumping
Privesc - Windows batch script that finds misconfiguration issues which can lead to privilege escalation
pypykatz - Mimikatz implementation in pure Python
RegRipper3.0
UACMe - Defeating Windows User Account Control
Windows-Exploit-Suggester
Windows-Privilege-Escalation - Windows Privilege Escalation Techniques and Scripts
Windows Exploit Suggester - Next Generation
Windows Exploits

Tools

Registry Explorer - Eric Zimmerman

TryHackMe Rooms

Websites

Active Directory Security
LOLBAS - Curated list of every binary, script, and library that can be used for Living Off The Land techniques
LOLDrivers - Curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks
Windows Virtual Machines

PreviousWeb NextSelf Improvement

Last updated 18 days ago

Was this helpful?

Notes

Registry

The Windows Registry is a collection of databases that contains the system's configuration data.

A Registry Hive is a group of Keys, subkeys, and values stored in a single file on the disk.

The registry on any Windows system contains the following five root keys:

HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is currently logged on.
HKEY_USERS: Contains all the actively loaded user profiles on the computer.
HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any user).
HKEY_CLASSES_ROOT: The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.
HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the local computer at system startup.

The majority of the hives are located in the C:\Windows\System32\Config directory and are:

DEFAULT (mounted on HKEY_USERS\DEFAULT)
SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)

The other hives that contain user information are located in:

C:\Users<username>\NTUSER.DAT (mounted on HKEY_CURRENT_USER when a user logs in)
C:\Users<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES)

Another very important hive is called the AmCache hive, which is located in C:\Windows\AppCompat\Programs\Amcache.hve and contains information on programs that were recently run on the system.

The transaction logs can be considered as the journal of the changelog of the registry hive, which means that the transaction logs can often have the latest changes in the registry that haven't made their way to the registry hives themselves. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG.

Registry backups are the opposite of Transaction logs. These are the backups of the registry hives located in the C:\Windows\System32\Config directory. These hives are copied to the C:\Windows\System32\Config\RegBack directory every ten days.

Useful registry keys

NTUSER.DAT\Software\Microsoft\Office\VERSION - Office recent files

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - Recent files

SAM\Domains\Account\Users - Users

SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Autoruns

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce - Autoruns

SOFTWARE\Microsoft\Windows NT\CurrentVersion - OS version

SOFTWARE\Microsoft\Windows Portable Devices\Devices - USB device volume names

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName - Computer name

SYSTEM\CurrentControlSet\Enum\USB - USB devices information

SYSTEM\CurrentControlSet\Enum\USBSTOR - USB devices information

SYSTEM\CurrentControlSet\Control\TimeZoneInformation - Time zone information

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces - Network interfaces

Resources

Articles

GitHub Repositories

adPEAS - Powershell tool to automate Active Directory enumeration

BloodHound - Six Degrees of Domain Admin

Cain & Abel - password recovery tool for Microsoft Operating Systems

enum4Linux - tool for enumerating data from Windows and Samba hosts

enum4linux-ng - A next generation version of enum4linux

Evil-WinRM - The ultimate WinRM shell for hacking/pentesting

JAWS - Just Another Windows (Enum) Script

JuicyPotatoNG - Another Windows Local Privilege Escalation from Service Account to System

kerbrute - tool to perform Kerberos pre-auth bruteforcing

mimikatz - A little tool to play with Windows security

NanoDump - The swiss army knife of LSASS dumping

Privesc - Windows batch script that finds misconfiguration issues which can lead to privilege escalation

pypykatz - Mimikatz implementation in pure Python

RegRipper3.0

UACMe - Defeating Windows User Account Control

Windows-Exploit-Suggester

Windows-Privilege-Escalation - Windows Privilege Escalation Techniques and Scripts

Windows Exploit Suggester - Next Generation

Windows Exploits

Tools

TryHackMe Rooms

Websites

Active Directory Security

LOLBAS - Curated list of every binary, script, and library that can be used for Living Off The Land techniques

LOLDrivers - Curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks

Windows Virtual Machines