Friday, April 11, 2014

Windows Registry Security Primer

If you come from the Unix world, the registry will feel a lot like the /proc filesystem. The corresponding C:/windows/system32/config folder would be the /etc/inittab and the /etc/sysctl.conf files. This correspondence is only in terms of functionality, as we will see in this article the information storage method, structure and access differ a lot.
The windows registry is a tree (hierarchical) structure in memory, which is used to store
Unlike it's Unix counterpart the registry is not accessible through the filesystem meaning it can not be reached using the windows filesystem browser. It needs to be accessed using utilities built specifically for the task of accessing the registry.
Many windows components depend on the windows registry starting from the kernel itself to the following subsystems:
  •   User Rights Assignment
  •  Security Administration Manager Permissions and Access Control
  •  Group Policy and Local Security Settings
  •   Services
  •  User Rights Assignment
  •   Device drivers
  •   User interfaces
  •  Third party applications
  • Background processes
The registry is populated at boot time and is maintained dynamically and read continuously throughout the uptime of a windows system.
How the registry is defined by MSDN: The registry is a system-defined database in which applications and system components store and retrieve configuration data. The data stored in the registry varies according to the version of Microsoft Windows. Applications use the registry API to retrieve, modify, or delete registry data. You should not edit registry data that does not belong to your application unless it is absolutely necessary. If there is an error in the registry, your system may not function properly. If this happens, you can restore the registry to the state it was in when you last started the computer successfully.

In simplest terms, the system (and user) configuration information is stored in a central hierarchical database called the ’registry’.
The registry was first introduced in Windows 3.1
Before the windows registry information was stored in .ini files. With the implementation of the windows registry the information started moving into a more organized format instead of the haphazard method of putting everything in files. The current focus is moving away from .ini files and .ini files are being used lesser and lesser. For example boot.ini is replaced by the boot configuration database which too is in registry format or hierarchical folders and entries.
The meaning of registry is always taken as a central place of storage. Whether an operating system or whether in java RMI repository is used for a centralized storage method. This characteristic of a registry being a ‘central’ place of storage is paramount and is one of the main reason for the success of the registry.

Earlier complete pathnames of .ini files needed to be memorized. In order to access them, but with the advent of the registry information has become more and more organized and just by knowing the purpose of registry entry (explained below) the administrator can determine the type of sub-entries.
The registry consists, on a higher level, of ‘hives’. Hives are further broken down into ‘root keys’, ‘keys’ and ‘subkeys’. The keys contains the data (values) stored in the registry.
At run time the entire registry is created from the files on the hard disk, during the entire time windows is operational is keeps the registry remains in memory and is read continuously.
A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. Hives are located inside root keys.
There are five root keys in windows vista, windows 7 and windows 8. The behavior of the root keys and sub keys is very similar to the filesystem. The keys behave like folders as they have subkeys in side of them, and the subkeys contain values and variables in them.
The rootkeys in windows 8 are explained below, in the list below some hives have supporting files while others may not have supporting files:
1-      HKEY_CLASSES_ROOT: The primary purpose of this key is to provide compatibility with 16 bit window . This key contains extensions and their associated programs. For example a .docx file will be opened using Microsoft windows. The user does not need to tell the system each time he/she double clicks on a word document. This is because Windows uses the information in this key to determine which application is used to handle a file with a particular extension.
2-      HKEY_CURRENT_USER (HK_CU): This key is constructed at run time, when a user logs on, from the HKEY_USERS key and contains the preferences and settings for the currently logged on user. HK_CU actually points to the HKEY_USERS/<Current_logged_on_users_SID_Key>
3-      HKEY_LOCAL_MACHINE: The largest and most intricate of all the root keys is the hkey_local_machine root key. It is one of the most important hive collections in the registry and supported by the following files:
Supporting File in C:\Windows\System32\config
Note: In the table above the files with no extension is the one containing the actual registry data. The one with the .log file extension are the ones that contain logs of key and value changes to that particular hive.

The hardware hive is populated the first from the Hardware abstraction layer.
During population of the HKLM takes input from the SAM, System, Security and software hives.

4-      HKEY_USERS: Information about all users that log on to the system is placed in this root. The most prominent component of HKEY_USERS\.DEFAULT which is C:\Windows\System32\config\DEFAULT and C:\Windows\System32\config\DEFAULT.LOG
The supporting files are Ntuser.dat and Ntuser.dat.log.

5-      HKEY_CURRENT_CONFIG (HKEY_CC): It is basically the same as and is simply a pointer to: the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current. By same it does not mean that it is a copy or another instance of that information. It is just a pointer to that location. So when you view HKEY_CC you are actually viewing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current.
Having HK_CC makes it easier to access the location in HKEY_LOCAL_MACHINE.

All the root keys contain branches of subkeys, but the leaf node of this entire hierarchy are the “values”. These values are variables/data sets that hold the actual information of the registry. The information is regarding users, software etc.
As per MSDN the winnt.h defines the following data types
Binary data in any form.
A 32-bit number.
A 32-bit number in little-endian format.Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_DWORD in the Windows header files.
A 32-bit number in big-endian format.
Some UNIX systems support big-endian architectures.
A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions. To expand the environment variable references, use the ExpandEnvironmentStrings function.
A null-terminated Unicode string that contains the target path of a symbolic link that was created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK.
A sequence of null-terminated strings, terminated by an empty string (\0).
The following is an example:
The first \0 terminates the first string, the second to the last \0 terminates the last string, and the final \0 terminates the sequence. Note that the final terminator must be factored into the length of the string.
No defined value type.
A 64-bit number.
A 64-bit number in little-endian format.
Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_QWORD in the Windows header files.
A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.

Security of Windows Registry keys:
The Windows Access Control Model enables access control on the registry keys. This allows us to control the access of the processes to the registry keys. Just like access is controlled for files and folders a registry can be assigned permissions which dictate which processes can access the key and how.
In order to assign permissions just right click a registry key as shown below:
A permissions box will show up similar to the ones used for assigning permissions on that particular key as shown below:

Backing up the windows registry:

The following methods can be used to back up the windows registry:

1 – Simply copy the contents of the C:\windows\system32\config folder. 

3 – Export the registry to a .reg file. This can be done using regedit.exe.
C:\> Regedit /e registryoutputfile.reg
This will write the entire registry to a file, a sort of complete registry backup.
To write a particular hive or root key use the following command
C:\> Regedit / e outputfile.reg HKEY_LOCAL_MACHINE\Software
This will only write the Software key to the outputfile.reg. Similarly any key can be written to a file using the above syntax.

Most frequently used keys

1-      Software Uninstall data key
The key that contains a list of all the installed applications:
Appwiz.cpl the software uninstall wizard in control panel uses this key to load data.

2-      Autorun keys

An exhaustive list of such location can be acquired using 'autoruns' - part of SysIntenarals suite by Mark Russinovich. A list of the ones which are easier to understand (and explain) is given below:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

3-      Keys that auto-load apps once
Need to find out if these are runonce or autorun locations each time the system starts. Need to get a list of autorruns from autoruns.
4-      Find the registry keys to start services.
Registry keys that control group policy, security and and user rights.

5-      Registry keys that load automatically load .dlls
6-      The key that causes chkdsk and autochk to run automatically
HKLM\System\CurrentControlSet\Control\Session Manager
- The key that holds paths to knowdlls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.

Playing with the Registry – changing windows configuration directly using Regedit.exe

1-      Icon-free desktop

Go to: HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies
o   Here create a new key named Explorer, we name is explorer because we are going to create a policy related to the Windows Explorer, inside this key create a new 32 bit (DWORD) value and name is “NoDesktop”.
o   Assigning this a value of 0 (default=false) will let the icons be displayed, but if the value is changed to 1 (true), it will not display any icons on the desktop after a logout/login. Keep in mind that this will also disable the ability to get a menu on the screen by right clicking on the desktop.

2-      Hiding icons in the notification tray

Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
o   If the explorer key does not exist, then it needs to be created Create another DWORD entry called ‘NoTrayItemsDisplay” It will have a default value of 0 (false), change it to 1 (true) and restart the computer.
Note: the notification tray is on the lower right of the screen.
3-      Increasing the limit for simultaneous http downloads

The HTTP 1.0 maximum download is limited to 4 connections, whereas the HTTP 1.1 are limited to 2.
In the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings
o   Create a new 32 bit (DWORD) value named “MaxConnectionsPerServer”
o   Set its values to 10 (decimal) also create another DWORD value “MaxConnectionPer1_0Server”

The number of simultaneous downloads can be used to decrease or increase the limit.

4-      Paranoid Security – Locking a drive

Now here is a really cool example of what you can do with the registry
o   If the explorer key does not exist, then it needs to be created.
o   Create a new DWORD value named “NoViewOnDrive”.
o   Then give the a value from the following table to lock that particular drive:

Sr. No
Drive letter
Calculation of value
2^Sr. No
Value to
be assigned

2^0 = 1
2^1 = 2
2^2 = 4
2^3 = 8
2^4 = 16
2^5 = 32
2^6 = 64
2^7 = 128
2^8 = 256
2^9 = 512
2^10 = 1024

All Drives
67108863 (yes! the last digit is 3)

Doing this will lock the drive rendering it inaccessible through Windows Explorer.
5-      In order to lock the wallpaper
Go to the the registry key
o   Create a 32 bit value named NoChangingWallPaper and give it the value 1.
6-      32 bit programs on a 64 bit machine
If you are using a 32 bit machine then the registry explanation above will suffice. But if you have a 64 bit machine there is one more key that may interest you.
The HKLM\Software\Wow6432node or the ‘Wow6432node’ for short, contains entries for 32 bit applications that need to run during start up.
Hint: In order to find 32 bit software on your 64 bit machine browse your C:\Program File(x86) folder.

Editing the Registry

1-      Using .reg files to enter data in the registry

A .reg file is usually an exported registry or a component of a registry.
C:/> Regedit.exe /s filename.reg
/s parameter means silent, no output on the console.
If filename.reg contains the contents of the entire registry, then the  entire registry will be written on the system, if it contains only a component of the registry like HKLM\Software or the HKCU root key, then only that particular root key will be effected. The is possible because the .reg contains the complete path of the key it is entering and populating. An example .reg file can be downloaded from

2-      Using the reg command

Using the reg command is another way to modify the registry
c:\> Reg /?
at the command prompt will display the usage and applicable parameters.
To add a key
Reg add <key_name> /v <value_name> /t <data type> /d <data>

To delete a key
C:\> Reg delete <key_name> /v <value_name> /f
/f will cause a forced delete without a prompt. An exhaustive list of parameters can be seen by typing
                Example of reg.exe usage
As an example let’s change the wall paper for the current user.
Step 1 – We first remove the registry entry for the desktop wallpaper

c:\> Reg delete HKEY_CURRENT_USER\Control Panel\Desktop /v Wallpaper
The above line will delete the value Wallpaper in the “HKET_CURRENT_USER\Control Panel\Desktop” Key.
We then add the new value for the key:
C:\> Reg add HKEY_CURRENT_USER\Control Panel\Desktop /v Wallpaper /t Reg_SZ /d C:\test.jpg
After the above command the wall paper for the current user will change to C:\test.jpg.

Writing the registry to a file

C:\> Regedit /e registryoutputfile.reg
This will write the entire registry to a file, a sort of complete registry backup.
To write a particular hive or root key use the following command
C:\> Regedit / e outputfile.reg HKEY_LOCAL_MACHINE\Software
This will only write the Software key to the outputfile.reg. Similarly any key can be written to a file using the above syntax.