In this blog, I will discuss various registry keys my script collects, detailing their significance, reasons for collection, and potential uses. Understanding these keys is crucial for security analysis, forensic investigations, and system monitoring.
1. Programs Executed By Session Manager
Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
Importance: This key determines the programs executed during the boot process and various system operations managed by the Session Manager (smss.exe). Monitoring these keys helps in identifying unauthorized programs that may compromise the system during startup.
Use Case: Detecting and preventing the execution of malicious programs during the boot process.
2. Shell Folders
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Importance: These keys define the paths for common shell folders, which are essential for organizing user and system data. Misconfigured paths can lead to system instability and loss of data.
Use Case: Ensuring that shell folder paths are correctly configured for optimal system performance.
3. User Shell Folders 'Startup'
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
Importance: Defines the startup folder for user-specific startup programs. It is crucial for identifying programs that automatically start when a user logs in.
Use Case: Monitoring and controlling startup programs to enhance system security and performance.
4. Approved Shell Extensions
Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Importance: These keys list the approved shell extensions for the system, enhancing functionality in the Windows Shell. Unauthorized extensions can pose a security risk.
Use Case: Ensuring only trusted shell extensions are allowed to prevent malicious activities.
5. AppCert DLLs
Registry Key: HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls
Importance: Typically used to specify DLLs that applications must load before they start. This can be leveraged to inject security-related DLLs.
Use Case: Enforcing the loading of security DLLs to ensure applications meet security requirements before execution.
6. Shell Commands
Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell
Importance: Defines shell commands used in the Windows context menu. Malicious commands here can lead to unauthorized actions.
Use Case: Monitoring for unauthorized shell commands to prevent potential misuse.
7. BCD Related
Registry Key: HKLM\BCD00000000
Importance: Related to Boot Configuration Data, which is crucial for the system boot process. Any tampering can result in boot failures.
Use Case: Ensuring the integrity of Boot Configuration Data to maintain system boot reliability.
8. LSA Packages Loaded
Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig
Importance: Lists the security packages loaded by the Local Security Authority (LSA). These packages are essential for system security operations.
Use Case: Verifying the security packages to ensure they are not compromised.
9. Browser Helper Objects
Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Importance: Defines add-ons for Internet Explorer. Malicious add-ons can hijack browser sessions and steal data.
Use Case: Identifying and removing malicious browser helper objects to protect user data.
10. User Specific IE Extensions
Registry Key: HKCU\Software\Microsoft\Internet Explorer\Extensions
Importance: Defines user-specific Internet Explorer extensions. Monitoring these extensions helps in ensuring user-specific settings are secure.
Use Case: Managing user-specific browser extensions to prevent security breaches.
11. Machine Specific IE Extensions
Registry Key: HKLM\Software\Microsoft\Internet Explorer\Extensions
Importance: Defines machine-specific Internet Explorer extensions. It is vital for maintaining overall browser security on the machine level.
Use Case: Controlling machine-specific extensions to safeguard against threats.
12. Typed URLs
Registry Key: HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Importance: Stores the list of typed URLs in Internet Explorer. It can be used to track user browsing behavior.
Use Case: Analyzing browsing history for security audits and forensic investigations.
13. Internet Settings
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Importance: Specifies various internet settings. Misconfigurations here can affect connectivity and security.
Use Case: Ensuring internet settings are correctly configured to maintain optimal security and connectivity.
14. Internet Trusted Domains
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
Importance: Lists trusted domains for Internet Explorer. It is crucial for managing trusted and untrusted sites.
Use Case: Verifying trusted domains to prevent users from accessing malicious sites.
15. AppInit_DLLs
Registry Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Importance: Used to specify DLLs loaded by every process that uses User32.dll. It can be exploited for malicious purposes.
Use Case: Monitoring AppInit_DLLs to ensure no unauthorized DLLs are loaded.
16. DLLs Loaded by Explorer.exe Shell
Registry Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Importance: Defines DLLs loaded by Explorer.exe. Unwanted DLLs here can affect system performance and security.
Use Case: Ensuring only necessary DLLs are loaded by Explorer.exe to maintain system stability and security.
17. Important Registry Keys - Shell and UserInit Values
Registry Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Importance: Crucial for system startup, shell configuration, and user initialization. Misconfigurations can lead to startup issues.
Use Case: Ensuring correct shell and UserInit values to avoid startup problems.
18. Important Registry Keys - Security Center SVC Values
Value: 133103271858906793
Importance: These values are critical for the operation of the Windows Security Center. Incorrect values can disable security features.
Use Case: Verifying Security Center values to ensure all security features are active.
19. Important Registry Keys - Desktop Address Bar History
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AddressBar
Importance: Stores the history of the desktop address bar. It can be useful for forensic analysis.
Use Case: Analyzing address bar history to track user activity on the system.
20. Important Registry Keys - RunMRU Keys
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Importance: Stores the history of commands run through the Run dialog. Useful for tracing user actions.
Use Case: Investigating RunMRU keys for a record of executed commands during forensic analysis.
21. Local AppData Executable Files
Location: C:\Users\User\AppData\Local\
Description: Executable files stored in the Local AppData directory are specific to a user's local profile on the machine. These files are not synced with other devices or servers.
Example: An executable file used by a program installed only on the local machine.
22. Roaming AppData Executable Files
Location: C:\Users\User\AppData\Roaming\
Description: Executable files stored in the Roaming AppData directory are meant to be synchronized with a server if the user is part of a domain. This allows the user's settings and files to be available on any device they log into within the domain.
Example: An executable file for a program that needs to be available across multiple devices for a domain user.
23. Local AppData DLL Files
Location: C:\Users\User\AppData\Local\
Description: DLL files in the Local AppData directory are specific to the user's local profile on the machine and are used by applications installed on that specific machine. These DLL are not meant to be shared or synced with other devices.
Example: A DLL file required by a locally installed application for its operation.
24. Roaming AppData DLL Files
Location: C:\Users\User\AppData\Roaming\
Description: DLL files in the Roaming AppData directory are intended to be synchronized with a server if the user is part of a domain. This ensures that the required DLL files are available on any device the user logs into within the domain.
Example: A DLL file for a program that needs to be accessible and consistent across multiple devices for a domain user.
25. Local AppData Batch Files
Location: C:\Users\User\AppData\Local\
Description: Batch files in the Local AppData directory are scripts specific to the user's local profile and are intended for use on that particular machine. These batch files are not synchronized with other devices.
Example: A batch script used for automating tasks on the local machine only.
26. Roaming AppData Batch Files
Location: C:\Users\User\AppData\Roaming\
Description: Batch files in the Roaming AppData directory can be synchronized with a server if the user is part of a domain, allowing these scripts to be used on any device the user logs into within the domain.
Example: A batch script used for automating tasks that need to be consistent across multiple devices for a domain user.
Summary
Local AppData Files: Specific to the user's local profile on a single machine and not synced with other devices.
Roaming AppData Files: Synced with a server for domain users, allowing the files to be accessible across multiple devices.
27. Startup LNK Files
File Location: Commonly found in C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Importance: LNK files (shortcuts) in the startup directory can be used to launch programs automatically when the user logs in. Malicious LNK files here can be used to maintain persistence.
Use Case: Ensuring that only legitimate programs are set to launch at startup, preventing unauthorized applications from executing.
28. Public Executable Files
File Location: Typically located in C:\Users\Public
Importance: Executable files in the Public directory can be accessed by all users, which makes it a target for malware aiming for broader system compromise.
Use Case: Monitoring public executable files to ensure they are not used to spread malware across user accounts.
29. Public LNK Files
File Location: Typically located in C:\Users\Public
Importance: Public LNK files can be used to create shortcuts to malicious executables. Monitoring these files helps in identifying potential threats accessible to all users.
Use Case: Ensuring public LNK files do not link to unauthorized or harmful applications.
30. Public DLL Files
File Location: Typically located in C:\Users\Public
Importance: Public DLL files can be loaded by various applications, posing a security risk if they are malicious. Monitoring these files helps in preventing DLL injection attacks.
Use Case: Ensuring public DLL files are legitimate and not used to inject malicious code.
31. Public Batch Files
File Location: Typically located in C:\Users\Public
Importance: Batch files in the Public directory can automate commands accessible to all users, making them a target for malware. Monitoring these files is crucial for preventing automated malicious activities.
Use Case: Detecting and analyzing batch files to prevent unauthorized commands from being executed.
32. Custom Startup LNK Files
File Location: Custom locations specified by the user or administrator
Importance: Custom startup LNK files can be used to launch specific applications or scripts at startup. They are often used for legitimate purposes but can also be exploited by malware for persistence.
Use Case: Verifying that custom startup LNK files are legitimate and not used to launch malicious applications at startup.
Kindly note: This Blog only cover Registries my script is collecting, It is not including other things my script collect, example collecting memory dump, performing win audit, collecting firewall modification and Many more.............
"My script is not a replacement for any existing scripts available in the market or the original artifact collection software; it is designed specifically for incident response to collect detailed information that can be helpful in investigations."
Akash Patel
Comments