Registry Enumeration

intermediate30 minWriteup

Finding credentials and misconfigurations in registry

Learning Objectives

  • Search registry for passwords
  • Find AutoLogon credentials
  • Identify AlwaysInstallElevated
  • Check registry permissions

The Windows Registry is a hierarchical database that stores configuration settings and options. For privilege escalation, the registry can reveal credentials, misconfigurations, and persistence mechanisms.

Registry Hives

HKLM (Local Machine) contains system-wide settings. HKCU (Current User) contains user-specific settings. Both can hold valuable information.

Stored Credentials

batch
1REM AutoLogon credentials (plaintext!)
2reg query 606070;">#a5d6ff;">"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
3REM Look for: DefaultUserName, DefaultPassword, AutoAdminLogon
4 
5REM VNC stored passwords
6reg query 606070;">#a5d6ff;">"HKCU\Software\ORL\WinVNC3\Password"
7reg query 606070;">#a5d6ff;">"HKLM\SOFTWARE\RealVNC\WinVNC4" /v password
8 
9REM Putty saved sessions
10reg query 606070;">#a5d6ff;">"HKCU\Software\SimonTatham\PuTTY\Sessions" /s
11 
12REM WinSCP saved credentials
13reg query 606070;">#a5d6ff;">"HKCU\Software\Martin Prikryl\WinSCP 2\Sessions" /s
14 
15REM Search for password strings
16reg query HKLM /f password /t REG_SZ /s
17reg query HKCU /f password /t REG_SZ /s
AutoLogon passwords are stored in plaintext! This is a common finding in enterprise environments.

AutoRun Locations

batch
1REM System-wide AutoRun
2reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
4 
5REM Current user AutoRun
6reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
7reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
8 
9REM Check for writable AutoRun binaries
10REM Use icacls to check permissions on each path

Service Configuration

batch
1REM List all services
2reg query HKLM\SYSTEM\CurrentControlSet\Services
3 
4REM Check specific service
5reg query HKLM\SYSTEM\CurrentControlSet\Services\ServiceName
6 
7REM Look for ImagePath (binary location)
8REM Check if path is unquoted and contains spaces

AlwaysInstallElevated

batch
1REM Check if AlwaysInstallElevated is enabled
2reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
3reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
4 
5REM If both return 0x1, MSI files install with SYSTEM privs!

AlwaysInstallElevated

If both registry keys return 1, you can create a malicious MSI file that will install with SYSTEM privileges.

Knowledge Check

Quick Quiz
Question 1 of 2

Where are AutoLogon credentials stored?

Key Takeaways

  • AutoLogon credentials may be stored in plaintext in the registry
  • Check VNC, PuTTY, and WinSCP for saved credentials
  • AlwaysInstallElevated requires both HKLM and HKCU keys set
  • AutoRun entries may point to writable binaries
  • Use reg query to enumerate registry for passwords