Registry Structure
The Registry is divided into five different major sections, called hives or subtrees. The five hives, as shown in Figure 1, are HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG. They are often abbreviated as HKCR, HKCU, HKLM, HKU, and HKCC by authors, including in this book. You can explore the Registry (and view, search, modify, and delete information) using Regedit.exe.
Under each hive are keys, subkeys, values, and data-making up thousands of separate database entries. Keys are the first level under the subtrees, followed by the lower subkeys, the subkey values, and the data of each value. Keys and subkeys can contain values, each of which would typically have a name and a piece of data associated with it. There can be one or more values under each subkey. Each value can contain data of only one format. Probably the most common format is REG_DWORD, actually, a REG_DWORD32 on a 32-bit computer and either a REG_DWORD32 or REG_DWORD64 on a 64-bit computer. A REG_DWORD is a 32-or 64-bit binary value interpreted as a binary bitmask or as a decimal or hexadecimal integer. Other common formats are REG_SZ (a single string) and REG_MULTI_SZ (several strings separated by carriage-return+line-feed characters). In the Figure 2, the hive is HKLM, the key is \Software, the subkey is \Microsoft\Windows\CurrentVersion\ Run, the value is Windows Defender, and the data is %Program Files%\Windows Defender\MSASCui.exe-hide, which in this case is the registry key that causes Windows Defender to launch at user logon.
HKey_Local_Machine Hive
HKLM is one of the most important hives to understand. Actually, all of HKLM is virtual and composed of pieces from elsewhere. It does not exist when the system is not running. The HKLM hive stores configuration information for hardware and software of the computer regardless of who is logged on. It contains seven keys: BCD00000000, Components, Hardware, SAM, Security, Software, and System.
The BCD00000000 holds the EFI boot values and can be viewed only with elevated permissions. The Components key, introduced in Vista, is the location where applications, COM, and DCOM objects should be registered.
The Hardware key contains information about the physical hardware of the computer. The key HKLM\HARDWARE is not stored as a file, because it is recreated each time the system starts. Any values created during the Windows session are discarded when Windows is shut down. Hardware information about local devices, interrupts, and hardware configuration information are stored under this key. You can view a lot of this information by using the Device Manager applet under the Control Panel. Windows and other applications can access this key to interface with the hardware appropriately.
The SAM key is the SAM database that stores authentication and security information about the different security principals (user, group, computers, and so on). It is usually protected from direct manipulation, even by the administrator. Occasionally, various malicious hacking tools are able to access it and extract password hashes, but Microsoft always seems to patch Windows and close the holes.
The Security key contains stored secrets, values, and security configuration information that is accessible only to the System account by default.
HKLM\Software is the most popular Windows key by legitimate users and malware. \Software contains registration and configuration information for the operating system and application software installed on the local machine. It contains many of the registry autorun keys (including the most popular autorun key, HKLM\Software\Microsoft\Windows\CurrentVersion\Run). It contains subkeys for nearly every installed software program.
HKLM\System is second in malware popularity only to HKLM\Software. It contains operating system information that controls system startup behavior, device drive loading, service configuration and loading, and overall OS operations. An example is HKLM\System\CurrentControlSet\Control\Safeboot\ Minimal. This subkey controls what services are loaded if the OS is booted in Safe mode.
Many forensic investigators rely on Safe mode to remove any malware programs when searching for signs of infection and maliciousness. Many malware programs manipulate this key so that they are loaded, and can thus manipulate or hamper forensic techniques even when the OS is in Safe mode.
All 64-bit versions of Windows store many HKLM\Software pre-64 bit registry keys (i.e. 32-bit) under a single location in the registry, HKLM\Software\ WOW6432Node. 32-bit programs accessing HKLM\Software are seamlessly re-directed to the new location. If legacy malware (pre-Vista) is exploiting Windows, chances are high that it will load itself using a subkey located under HKLM.
HKey_Classes_Root
HKCR is most commonly used to list the effective Windows file associations linking a particular file extension to one or more software programs which are supposedly designed to handle the particular file format. For example, clicking on a file ending in .txt will normally result in Notepad being launched. Click a file ending in .vbs in Windows Explorer results in Windows Scripting Host (Wscript.exe) being called, but clicking it in Internet Explorer results in VBScript.dll being called to handle it. By default, Windows has hundreds of file associations. This subtree is used to register and file associations, URI handlers (for example, news://, aim:// in Internet Explorer), and COM file configuration information.
HKCR lists the effective Windows file associations arising from the combination of HKLM\Software\Classes and HKCU\Software\Classes. Starting with Windows 2000, file associations can be viewed or modified in any of the following three registry locations:
-
HKCR
-
HKLM\Software\Classes
-
HKCU\Software\Classes
Although file associations can be modified in any of the three locations, HKCR is only meant to be a registry area showing the effective associations. File associations set at the HKLM\Software\Classes location are, in effect, for all users of the computer unless specifically overridden by HKCU\Software\ Classes. Associations in HKCU\Software\Classes take precedence for the currently logged on user. If a new value is written to HKCR, and it does not exist in HKCU\Software\Classes, it is written to HKLM\Software\Classes and applies to all users on the computer. If the key or value already exists in HKLM\Software\Classes, then the modification is written to HKCU\Software\ Classes and applies only to the local logged on user. This is important point to remember and one occasionally manipulated by malware. Forensic investigators, unaware of the other three file association location interactions might be stymied by malware using the latter two keys instead of HKCR.
Under the registry key HKCR, applications are listed by either their file extension (for example, Vbs), file type name (for example, VBSFile), CLSID (for example, {}), or handling module (for example, Outlook.FileAttach). The HKCR subtree can be broken down into two main sections: upper-level file extensions and lower-level program modules and file associations.
The two different sections allow Windows to bind multiple file extensions into aggregate file types, and to simplify management of these. For example, one might have .bmp, .jpg, .gif, .tif, and so on all pointing to a file type called GraphicFiles, and define actions for these just once, under GraphicFiles. One could then define another file type called AlternateGraphicFiles, and by switching individual file extensions from one to the other, apply different sets of actions without having to destructively set these up for each file extension.
The upper level displays the file extensions that are associated with each registered program. Although most file extensions are three characters long, there are file extensions shorter and longer in length. The upper-level section is mostly a "pointer" to the related lower-level file associations. Together, both levels display a lot of information for each file type. The most important values include:
At the top of HKCR (using Regedit.exe), you will see *. This subkey tells Windows how to treat all newly registered file types if not instructed by the installing program or user. Directly after the * subkey are hundreds of registered file extensions. Actually, not too much information is stored directly under the file extension subkey, but what is there is valuable and useful. For one, the Default value will list the associated registry key where more of the file association information is stored. For nearly every file association listed at the top of the HKCR key, there is another corresponding lower-level file association subkey holding more confirmation information.
For example, the .Vbs file association has a Default value of VBSFile. VBS-File is a registry key located lower in HKCR and is where the majority of the information regarding the treatment of Visual Basic Script (.Vbs) files is stored. The top file association subkey will also list the CLSID of the associated program in the Persistent Handler value. The CLSID is a unique alphanumeric GUID (Globally Unique Identifier) value given to each program or module. Windows and Internet Explorer often uses the CLSID instead of the file extension to identify a file type handler.
The upper-level subkeys will also reveal MIME Type identifiers. For example, the .Txt file association has the MIME Type identifier listed in the Content Type value with data of text/plain. This means that if a file is downloaded in Internet Explorer (or HTML-enabled e-mail) with a MIME type identifier of text/plain, Windows associates the file with the .Txt file association and the lower level TxtFile subkey (as indicated by the Default value).
Heading down lower into the HKCR subtree will reveal more file association information. For instance, choosing the VBSFile file association (remember the .vbs file association's Default value said VBSFile) displays many key informational fields. First, the Default value right under the VBSFile subkey describes the file type. In this example it is VBScript Script File. Although most administrators are familiar with the most common file extensions and their meanings, there are dozens that are not well known.
If you see URL: < protocol handler> it tells you that the "file extension" is a URL moniker, not a file extension. For example, under the Telnet file association, the Default value has data indicating URL: telenet protocol. This means that if telnet://is typed into Internet Explorer or on the command line it will launch the Telnet program. All the registered URL monikers are a potential attack point because malware can get third-party programs to launch in Internet Explorer. This method has been used in several attacks in the past.
The EditFlags decimal value of 0 (or 0x00000000 in hexadecimal) indicates that a file download confirmation dialog box will be displayed if the file is downloaded by Internet Explorer or other Windows programs and not automatically executed. For potentially dangerous files this is a smart option to enable. If left disabled, a malicious Web site or e-mail could automatically execute malicious code on the user's system without the user ever having a chance to deny the execution.
The DefaultIcon subkey lists the executable the icon graphic is pulled from when an associated file is displayed and the index of the icon inside the file. In the VBSFile example, the icon is pulled from Wscript.exe. Malware has been known to manipulate this value in order to make a potentially harmful file appear harmless (for example, a .exe file associated with the .txt file icon) to trick the end user into executing it without the appropriate cautions.
Some file types point to themselves as the source of the icon, and this is a common point at which malware-type spoofing occurs. When an icon is pulled out of the parent file, the file can display any icon it likes. This is why icons are an unsafe substitute for filename extensions as a determinant of file type, and the risks implied by the file type.
The Shell\Open\Command subkey shows the program the associated file is executed in or with when executed outside of Internet Explorer. In this example, VBSFile is executed with the Wscript.exe program. The Shell\Open2\ Command subkey displays another program, CScript.exe, which can be used to run VBS files at the command prompt. The Shell\Edit\Command subkey displays the program the file is opened in if opened for editing (versus executing). The \Shell\Print\Command subkey tells Windows how to print the file if told to print it (often using Notepad and the /P print command). Other subkeys instructing behavior you might see include New, Printto, and OpenAsReadOnly.
Trojans and worms have manipulated the Shell\Open\Command value so that they were executed along with the normal file handler. For example, many e-mail Trojans have manipulated the .exe file association so that the malware program was executed along with any run .exe executable. They do this by changing the Exefile Default value from its normal setting of “%1” %* to “ malwareprogram.exe %1” %*, where malwareprogram.exe is the malicious program's name. The following file associations are particularly popular with malware programmers using this trick:
But any file association is vulnerable. Other Trojans have attacked .chm, .ini, .reg, .scr, and .txt files. The action named as the value of the key called "shell" is the default action that will happen if you double-click (or press Enter on) a file, and will be the action seen in bold if the file is right-clicked to access the context menu. But there are some shell contexts that will use whatever action is called "open" instead, whether this is set as the default action or not. This includes the "legacy" Open With programs list, and use of the Start command.
There are dozens of other possible registry fields related to the registry file associations, but these are the ones most interesting to malware authors and forensic investigators. Messing with file associations in the registry can be difficult and painstaking.
HKey_Current_Users
HKCU lists the current configuration and profile information for the currently logged on user. Virtually any setting that affects the user's desktop experience can be found here, including background graphics, screensaver choices, folders, printer and drive mappings, whether or not the user can see hidden files, and hundreds of other settings. If similar values exist in both HKCU and under HKLM, the data in HKCU takes precedence. The HKCU location is not nearly as popular with malware, but could lead to many of the same exploits accomplished using HKLM.
Spyware uses HKCU more often than any other type of malware. The consequences are that any anti-spyware scanner must be coded to scan multiple user profiles in order to remove all spyware.
HKey_Users
HKU contains all the user profiles on the local computer. When a user logs on for the first time, his or her profile is created using the configuration information stored in the \Users\Default User folder and the HKU\.Default key. Thereafter, when the user logs onto the machine using the same profile, his or her HKU\ information is copied to HKCU for the user's session. The HKU\ is tracked by security principal SID. Any changes made to the user's profile (in HKCU) are saved back to HKU\. Although malware could take advantage of the profile keys located in HKU, to date they have not messed with it much.
HK_Current Config
HKCC is an alias for HKLM\System\CurrentControlSet\Hardware Profiles\ Current and data it contains can be changed in either location. Windows allows one or more hardware profiles to be created for a computer (choose the System applet under the Control Panel, and then choose User Profiles under Advanced Settings). If desired, varying hardware devices, drivers, and services can be turned on and off per profile. Profiles are most commonly used on laptops, going from docked to undocked states. It has not been frequently manipulated by malware.
The Windows Registry contains thousands of entries. Over the years it has grown in size and complexity and outlived its usefulness. Microsoft plans to replace the Registry with another storage database type in the coming years. However, until the Registry disappears completely, and it could live with us another decade, administrators need to know the most important parts and settings.