> For the complete documentation index, see [llms.txt](https://moharat.gitbook.io/cylabs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://moharat.gitbook.io/cylabs/101-series/operating-systems/windows-101/windows-registry.md).

# Windows Registry

Windows Registry Editor (regedit.exe) and key registry locations to monitor for signs of malicious activity.

**What is the Registry Editor (regedit.exe)?**

* **Hierarchical Database:** The Windows Registry is a massive database storing system-wide and program-specific configuration settings, hardware information, user preferences, and more.
* **Registry Editor:** Allows you to directly view and edit entries (keys and values) within the registry.
* **Caution:** Incorrect changes to the registry can seriously damage your system. Proceed with extreme care.

**Key Registry Locations for Auditing Malicious Activity**

Here are common registry hives and keys attackers often target:

* **HKEY\_LOCAL\_MACHINE (HKLM) \Software\Microsoft\Windows\CurrentVersion\Run and RunOnce:** These keys control programs that start automatically at system boot or user login. Malware often adds persistence mechanisms here.
* **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run:** Similar to the above, an additional location for autostart programs.
* **HKLM\SYSTEM\CurrentControlSet\Services:** Stores information about system services. Malware might create new services here or modify existing ones.
* **HKEY\_CURRENT\_USER (HKCU) \Software\Microsoft\Windows\CurrentVersion\Run and RunOnce:** The user-specific versions of autostart keys. Malware might target these to only affect the compromised user account.
* **HKCU\Software\Microsoft\Internet Explorer\Main:** Stores Internet Explorer settings. Malware may modify these for browser redirects, data interception, or other tampering.
* **HKCU\Software\Classes:** Defines file associations. Malware could modify these to execute malicious code when specific file types are opened.

**What to Look For**

* **Suspicious Keys and Values:** Unknown entries (especially with unusual names) in the locations mentioned above warrant investigation.
* **Modification of Autostart Entries:** Check for new entries you don't recognize that point to unfamiliar executable files.
* **Changes to Browser or System Settings:** Look for unexpected modifications in internet settings, proxy configurations, or system-level policies.
* **Hidden Keys:** Malware may try to hide registry entries by manipulating their properties.

**Important Considerations**

* **Attribution Is Difficult:** Finding a malicious registry entry doesn't always directly identify the specific piece of malware.
* **Time is Crucial:** Malware may modify the registry and immediately trigger actions or remain dormant for prolonged periods.
* **Baseline Comparisons:** Having a "clean" snapshot of a system's registry is invaluable for comparison during incident investigations.
* **Malware Obfuscation:** Malware can use techniques to disguise registry entries.

**Additional Resources**

* Microsoft has documentation detailing the structure of the registry: <https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry>.
* Security blogs and threat intelligence sites often release reports detailing specific registry keys and values employed by different malware families.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://moharat.gitbook.io/cylabs/101-series/operating-systems/windows-101/windows-registry.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
