The Windows registry

Overview

The registry is Windows' config database, rooted in hives (HKLM machine-wide, HKCU per-user) of keys and values. Autorun keys, stored secrets, and flags like AlwaysInstallElevated make it both a persistence spot and a privesc source.

Why it matters

The registry holds autostart entries (persistence + escalation), plaintext secrets some apps leave behind, and escalation flags. Querying Run keys, autologon creds, and AlwaysInstallElevated is routine Windows enumeration.

Core concepts

Hives. HKLM (machine), HKCU (user). Keys/values. Folders → typed data. Autorun keys. Run keys = persistence and, if writable at HKLM, escalation. Stored secrets. Plaintext creds (e.g. autologon). AlwaysInstallElevated. MSI-as-SYSTEM flag.

Lesson

The registry is Windows' hierarchical configuration database — settings for the OS, drivers, services, and applications, all in one tree.

Structure

Hives are the top-level roots:

• HKLM (HKEY_LOCAL_MACHINE) — machine-wide settings (needs admin to write).
• HKCU (HKEY_CURRENT_USER) — the current user's settings.
• Keys (folders) contain values (name → typed data).

Security-relevant keys

• Autorun / persistence: HKLM\...\Run, HKCU\...\Run, services keys — programs that launch automatically. Both an attacker persistence spot and a privesc vector (if a normal user can write an HKLM autorun that runs as admin/SYSTEM).
• Stored secrets: applications sometimes store passwords/keys in the registry; winlogon autologon credentials live here in plaintext historically.
• AlwaysInstallElevated: a registry flag that, if set, lets any user install MSI packages as SYSTEM — an instant escalation (covered in privesc).

Tools

reg query/reg add (CLI), regedit (GUI). Searching the registry for credentials and writable autorun keys is standard Windows enumeration.

Summary

The registry centralises Windows configuration in hives of keys/values; its autorun keys, leftover secrets, and escalation flags make it a recurring target for both persistence and privilege escalation.