Malware analysis

Understanding Windows Registry

Introduction

Let’s say a user just finished installing a piece of recommended software. They weren’t really familiar with the source, but the potential benefits would be excellent. Immediately after installation they can’t right-click anywhere, the taskbar is gone and there is a rather large PAY US OR ELSE wallpaper permanently plastered onto their desktop. 

They run the standard company-issued antivirus/malware applications, which takes care of some of the problems. But certain settings, like the wallpaper, are still stuck in place. They need your help to finish cleaning up the system. What are you going to do?

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

Windows Registry

The Registry in Windows stores a ridiculous number of program and personalization settings, license keys, policies, rules and the list goes on and on. Basically, if it's a setting that needs to be kept long-term, more often than not it's going to be kept in the Registry.

To access the Registry, you simply have to run a utility called regedit. This same executable works on all flavors of Windows, although the ability to run this depends greatly on your local permissions. This is one of the key programs affected by User Account Control (UAC) and by your group memberships, so if you're trying to change a user-specific setting and end up having to run regedit as a different user, this can cause some mild problems.

Once you are in Regedit, the registry will appear as a tree structure:

Each of these elements does one of two things. Either it covers a key domain of the Registry, or it acts as a pointer or aggregator for values that are stored in locations that are not that easy to get to.

 

HKEY_CLASSES_ROOT (Shortened to HKCR) This deals primarily with applications that associate specific file types with themselves. It combines values located in two distinct areas — HKEY_CURRENT_USERSoftwareClasses for user-based settings and HKEY_LOCAL_MACHINESoftwareClasses for machine-based settings. If a value exists in both places, the user's settings take precedence.

HKEY_CURRENT_USER (Shortened to HKCU) This deals with the currently logged-in user's specific settings — things like mapped drives and printers, personalization settings and user-based customizations for various applications. Settings located in this section are many times stored in a file called "NTUSER.DAT", located in the user's profile directory. In this way, if a particular organization has roaming profiles active, a user's individual preferences can follow them from computer to computer.

HKEY_LOCAL_MACHINE (Shortened to HKLM) This section deals with settings specific to this particular computer — the operating system, hardware, drivers and startup parameters.

HKEY_USERS (Shortened to HKU) This section mounts other currently logged-in user profiles and can be considered a way to jump to different HKCU sections.

HKEY_CURRENT_CONFIG (Shortened to HKCC) This section generates data on system startup regarding the currently installed hardware. Like HKCR, this section loads data from a different area — specifically HKLMSYSTEMCurrentControlSetCurrentControlSetHardware Profiles.

 

When you start drilling down into the Registry, it becomes apparent very quickly that knowing where you're going and what you're looking for beforehand is extremely helpful. The Search function available by going up to the Edit dropdown menu and selecting Find does help some, but there can still be dozens or hundreds of potential matches when you search for a particular word.

Speaking of words, if we look at various values in the Registry, you'll see that those values have different types associated with them. 

 

REG_BINARY Binary data

REG_DWORD or REG_DWORD_LITTLE_ENDIAN Effectively the same thing in Windows, a 32-bit number.

REG_DWORD_BIG_ENDIAN Also a 32-bit number. However, this format is “Big Endian,” which is occasionally used in UNIX-type systems.

REG_EXPAND_SZ A string that can expand out to store environmental variables.

REG_LINK A string that is used for the target of a symbolic link.

REG_MULTI_SZ A multi-string value — this would appear something like AlphaBetaGammaDelta. is used as a flag to end one of the strings, with the final one acting as an end to the entire multi-string value.

REG_NONE There is no particular type associated with this type.

REG_QWORD or REG_QWORD_LITTLE_ENDIAN Effectively the same thing in Windows, a 64-bit number. 

REG_SZ A standard string.

 

So what can we do with all of this information? Let's start out by trying to see where our annoying piece of software changed the desktop wallpaper on our user. 

First, let's navigate to HKCUControl PanelDesktop. Once you've clicked on Desktop in the Tree view, you'll see a number of values appear on the right side, each dealing with various customization options for the currently logged in user's desktop. 

Depending on which version of Windows you are using, there are two locations to view your in-use wallpaper. There’s TranscodedImageCache, which stores the path to the wallpaper in a REG_BINARY value, or Wallpaper, which stores the path to the wallpaper in a REG_SZ value. While you can get the same information from both locations, the Wallpaper value is a much more human-readable format.

That's all good for finding a value that already exists, but what if we wanted to change something or introduce an entirely new value? Let's say for security reasons that we wanted to block users from adding new .PST files to Outlook. How would we do that?

Office has a number of different preset values that it looks for when starting up. Certain options, such as disabling PSTs, are not active out of the box for obvious reasons. They do, however, make the documentation for these changes available in case organizations need to use them. 

First, let's make sure that their copy of Outlook is closed down. Next, let's navigate to HKCUSoftwarePoliciesMicrosoftOffice (look for a version number here)Outlook. 

IMPORTANT: BEFORE MAKING ANY CHANGES TO A REGISTRY KEY, BE SURE TO BACK IT UP. This can be done by right-clicking on the key and select Export. You will then be prompted where you want the backup to be placed and what you want it to be named.

Go over to the right side of the screen, right-click in the white space and select New, D-WORD 32-bit Value. Once this appears, you'll want to name it DisablePST. Double-click on this new value to bring up the editing screen and change the Value data from 0 to 1. (0 in this case meaning PSTs are not disabled, while 1 means that they are.)

Once you've entered this value, click OK to save the setting and you're done! Now when that particular user goes to add a .PST to Outlook, they won't be able to do it. 

Conclusion

The Windows Registry is incredibly powerful and a highly effective way to make modifications to programs and settings that might otherwise not be possible. An important thing to consider for the future, however, is scale. Making individual changes on the Registry is great for small numbers of systems and users, but once you start dealing with making those same changes on a large scale, you need to find a better way. 

You can deal with this effectively by implementing a group policy. Many changes that you can make in the Registry manually can be done either by predetermined Group Policy Template options or by simply pushing out particular Registry values. 

Whatever option you decide, remember that modifying the Registry can cause changes for good or ill, so be sure to back up your registry before making a change.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

 

Sources

1. Find your current wallpaper image path in Windows 10, Winaero
2. Overview of the Windows Registry, Microsoft
3. Registry Value Types, Microsoft
4. How to use Outlook policy to control PST use and creation in the Office 365 Import service, Microsoft