Windows Registry

Revised DateAuthorComment
21.03.2025Roger JohnsenArticle added

Introduction

The Windows Registry is a critical component of the Windows operating system that serves as a hierarchical database for storing system configurations, application settings, and user preferences. For threat hunters, it is an invaluable resource for detecting malicious activity, identifying persistence mechanisms, and analyzing system behavior. Attackers frequently leverage the registry to hide malware, execute fileless attacks, or establish persistence by modifying startup keys and injecting code into registry values. By monitoring and analyzing registry changes, threat hunters can uncover unauthorized modifications, trace the origins of security breaches, and mitigate stealthy threats such as Advanced Persistent Threats (APTs). Its vast scope of information makes the registry a goldmine for forensic investigations and proactive threat detection.

Windows Registry Keys

System Information and Configuration

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKLM\SYSTEM\CurrentControlSet\Control\ComputerNameSystem’s assigned nameComputer name (e.g., DESKTOP-1234AB)Check for unexpected name changesT1082
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformationSystem’s time zoneTime zone string (e.g., Pacific Standard Time)Verify time zone consistency across networkT1082
HKLM\SYSTEM\CurrentControlSet\Control\WindowsLast shutdown timeShutdownTime (Binary value)FILETIME format; check for unexpected shutdownsT1082
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAUAC settings0 (disabled) or 1 (enabled)Ensure UAC is enabled (value should be 1)T1548.002

User Accounts and Profiles

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListUser SID to profile path mappingSID and profile path pairsIdentify unauthorized user accountsT1136
HKLM\SAM\Domains\Account\UsersUser account details (protected)Binary data, SID-linked user recordsRequires special tools; check for unauthorized changesT1003

Autostart and Persistence Mechanisms

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunAuto-launch programs at startupExecutable pathsCommon persistence mechanism; check for unusual entriesT1547.001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCacheScheduled tasksTask names, executable paths, run timesCheck for unauthorized scheduled tasksT1053.005
HKLM\SYSTEM\CurrentControlSet\ServicesInstalled Windows servicesService name, binary pathIdentify potentially malicious servicesT1543.003

Network Configuration and Remote Access

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesNetwork interface configurationsIP addresses, subnet masks, gatewaysCheck for unauthorized network changesT1016
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\UnmanagedPreviously connected networksSSID, MAC address, timestampsTrace system movement; timestamps in Unix formatT1012
HKCU\Software\Microsoft\Terminal Server Client\ServersRDP accessed hostsIP addresses, hostnamesIdentify unauthorized remote accessT1021.001
HKCU\NetworkMapped network drivesDrive letter, remote pathCheck for suspicious network mappingsT1021
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableRestrictedAdminRDP Restricted Admin mode0 (enabled) or 1 (disabled)Should be 0 for better securityT1021.001

USB and External Device Usage

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTORConnected USB storage devicesVendor ID, product ID, serial numberIdentify potential data exfiltration attemptsT1091
HKLM\SYSTEM\MountedDevicesVolume GUID to drive letter mappingDrive letter mappingsTrack external device usageT1091

User Activity and Program Execution

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRURun box command historyString list of executed commandsCan reveal attacker activitiesT1112
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUAccessed files and folders historyFile paths and timestampsIdentify accessed sensitive filesT1083
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCacheExecuted program metadata (Shimcache)File paths, timestamps, execution flagsReveals program execution even if deletedT1118
HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}Recently executed applications per userFile paths, timestampsBackground Activity Moderator; check for suspicious executionsT1118
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssistGUI-launched programs (ROT13 encoded)Encrypted program names, execution countRequires ROT13 decoding; reveals user activitiesT1118

Software and Application Management

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallInstalled applicationsApplication names, install datesIdentify potentially malicious softwareT1072
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsDebugger redirectionDebugger pathCheck for potential process hijackingT1546.012

Security and Credential Management

Registry KeyDescriptionPossible ValuesThreat Hunting NotesMITRE ATT&CK
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigestWDigest credential storage settingUseLogonCredential (0 or 1)Should be 0 to prevent credential storageT1003