Computer Security

Windows Registry

Eng. Mahmoud Al-Hoby 1

Windows Registry
• Windows registry is used to store different configurations for
Windows OS and the different Programs that run on it.

• Its represented as a hierarchical database of

• Computer System settings
• Hardware Configurations
• User preferences.

Eng. Mahmoud Al-Hoby 2

Windows Registry
• The registry is divided into five top-level sections called Root keys.
Sometimes, the terms HKEY and Hive are also used.

• Each Root Key contains a collection of Sub-Keys, which is similar to a

subfolder within a folder. Any Sub-Key can also contain other Sub-Keys

• A Value Entry is an ordered pair with a name and value.

• The value or data is the data stored in a registry entry.

Eng. Mahmoud Al-Hoby 3
Registry Root-Keys
• HKEY_LOCAL_MACHINE: Stores settings that are global to the local machine

• HKEY_CURRENT_USER: Stores settings specific to the current user.

• HKEY_CLASSES_ROOT: Stores information defining types

• HKEY_CURRENT_CONFIG: Stores settings about the current hardware configuration,

specifically differences between the current and the standard configuration

• HKEY_USERS Defines settings for the default user, new users, and current
• users

Eng. Mahmoud Al-Hoby 4

Registry Root-Keys

Eng. Mahmoud Al-Hoby 5

• The two most commonly used root keys are:
• (HKEY_LOCAL_MACHINE) Commonly Known as HKLM
• (HKEY_CURRENT_USER) Commonly Known as HKCU

• Some keys are actually virtual keys that provide a way to reference the
underlying registry information.
• KEY_CURRENT_USER  HKEY_USERS\SID, where SID is the security identifier of the
user currently logged in.

• The Registry Editor (Regedit), shown previously, is a built-in Windows tool,

that can be used to view and edit the registry.
Eng. Mahmoud Al-Hoby 6
 Values (Name, Data)

Value Type
Root-Keys, Keys, and Sub-Keys
Eng. Mahmoud Al-Hoby 7
Programs that Run Automatically
• A Special Key in Registry is used, that contains the applications that
run automatically when Windows starts.

• While not a very stealthy technique, it is often used by malware to

launch itself automatically.

• The Key is Located at:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Eng. Mahmoud Al-Hoby 8

Registry Storage
• Registry hives are stored as files in Windows. The files are locked once
Windows loads and uses them.
• Files cannot be edited or viewed while Windows is Running

• The complete list of files is available at the registry itself, on a special

key called (hiveslist)
HKLM\SYSTEM\CurrentControlSet\Control\hivelist

Eng. Mahmoud Al-Hoby 9

Eng. Mahmoud Al-Hoby 10
Common Registry Functions
• RegCreateKeyEx: Creates the specified registry key. If the key already
exists, the function opens it.

Eng. Mahmoud Al-Hoby 11

Common Registry Functions
• RegOpenKeyEx: Opens a registry for editing and querying. There are
functions that allow you to query and edit a registry key without
opening it first, but most programs use RegOpenKeyEx anyway.

Eng. Mahmoud Al-Hoby 12

Common Registry Functions
• RegSetValueEx: Adds a new value to the registry and sets its data

Eng. Mahmoud Al-Hoby 13

Common Registry Functions
• RegGetValue: Returns the data for a value entry in the registry.

Eng. Mahmoud Al-Hoby 14

 Registry Data-Types

Data-Type Description Value Indicator

String A Null-terminated string 1
Binary Raw Binary Data 3
DWORD 32-bit number 4
QWORD 64-bit number 11
Multi-String Array of null-terminated strings that are terminated by two null characters. 7
Expandable Null-terminated string that contains unexpanded references to environment 2
String variables (for example, "%PATH%")

Eng. Mahmoud Al-Hoby 15

Root-Keys Constants
Root-Key Constant in C# (Api)
HKEY_CLASSES_ROOT new IntPtr (2147483648)
HKEY_CURRENT_USER new IntPtr (2147483649)
HKEY_LOCAL_MACHINE new IntPtr (2147483650)
HKEY_USERS new IntPtr (2147483651)
HKEY_CURRENT_CONFIG new IntPtr (2147483653)
HKEY_DYN_DATA new IntPtr (2147483654)

Source:
https://msdn.microsoft.com/en-us/library/aa390388(v=vs.85).aspx

Eng. Mahmoud Al-Hoby 16

 Security Access Rights
Access Type Value
KEY_ALL_ACCESS 0xF003F
KEY_CREATE_SUB_KEY 0x0004
KEY_ENUMERATE_SUB_KEYS 0x0008
KEY_EXECUTE or KEY_READ 0x20019
KEY_NOTIFY 0x0010
KEY_SET_VALUE 0x0002
KEY_WRITE 0x20006

Source:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724878(v=vs.85).aspx

Eng. Mahmoud Al-Hoby 17

Malware and Windows Registry
• It is common for malware to access windows registry.

• Malware can use the registry to:

• Store Configuration Information,
• Gather Information About the System,
• Install itself persistently.

Eng. Mahmoud Al-Hoby 18

Common Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

• Contain the Values for application that start automatically when

Windows Starts.
• Structure:
• Name  Application Name Identifier
• Type  REG_SZ
• Data  Complete Path to the Executable

Eng. Mahmoud Al-Hoby 19

Common Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]

• Contain a Special Value called “AppInit_DLLs”. Any DLL specified in the

data of this Value, will be loaded into every process that loads
User32.dll

• Type  REG_SZ
• Data  Space-Delimited string of DLLs’ Paths

Eng. Mahmoud Al-Hoby 20

Common Registry Keys
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]

• Contain different values that instruct Windows to load certain applications

when a special logon event occurs. It can be used by malware to override
default system behavior

• Example, (Run a special program when Windows Starts)

• Name  Userinit
• Type  REG_SZ
• Data  Space-Delimited string of Executables that will run after user login

Eng. Mahmoud Al-Hoby 21

 Practice
Adding a new Value to Auto-Runs in Registry
(Example 1  Using Windows Api)

Eng. Mahmoud Al-Hoby 22

Example (adding a Program to Startup)
Step (1) – Defining Api Functions
[DllImport("Advapi32.dll")]
public static extern long RegOpenKeyEx
(IntPtr hKey, string lpSubKey, long ulOptions, long samDesired, out IntPtr phkResult);

[DllImport("advapi32.dll")]
public static extern int RegSetValueEx
(IntPtr hKey, string lpValueName, long Reserved, long dwType, string lpData, long cbData);

[DllImport("advapi32.dll")]
public static extern long RegCloseKey
(IntPtr hKey);

Eng. Mahmoud Al-Hoby 23

Example (adding a Program to Startup)
Step (2) – Defining Parameters for the RegOpenKeyEx

IntPtr hKey = new IntPtr(0x80000002u);

string lpSubKey = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
long ulOptions = 0;
long samDesired = 0xF003F;
IntPtr keyHandle;

RegOpenKeyEx(hKey, lpSubKey, ulOptions, samDesired, out keyHandle);

Eng. Mahmoud Al-Hoby 24

Example (adding a Program to Startup)
Step (3) – Open The registry Key (for Autoruns)
string value = "MyProgramY";
long dwType = 1;
string data = @"D:\MyProgram.exe (Added using Windows Api)";
long cbData = data.Length + 1;

RegSetValueEx(keyHandle, value, 0, dwType, data, cbData);

RegCloseKey(keyHandle);

Complete Code will be uploaded to Moodle

Eng. Mahmoud Al-Hoby 25

 Practice
Adding a new Value to Auto-Runs in Registry
(Example 2  Using .NET Framework)

Eng. Mahmoud Al-Hoby 26

string subkey = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run";
string value = "MyProgramY";
string data = @"Y:\MyProgramY.exe (Added by .NET code)";
bool writable = true;

RegistryKey key = Registry.LocalMachine.OpenSubKey(subkey, writable);

key.SetValue(value, data, RegistryValueKind.String);
key.Close();

Eng. Mahmoud Al-Hoby 27