Threat Hunting for Windows Registry

Alican Kiraz
3 min readAug 30, 2022


Source :

The registry is a file system by Microsoft Windows operating systems that stores application settings, low-level system settings, and user preferences.

Registry Structure:
• Hives: contain keys (directories) and values
• Keys: might contain subkeys and/or values
• Subkeys: no difference between key and subkey structure
• Values: store data

Registry ROOT Keys:

Source :

Common Hive Locations:
• HKLM\SECURITY:%SystemRoot%\system32\config\ SECURITY
• HKLM\SOFTWARE: %SystemRoot%\system32\config\SOFTWARE
• HKLM\SYSTEM: %SystemRoot%\system32\config\SYSTEM
• HKLM\SAM: %SystemRoot%\system32\config\SAM
• HKU\DEFAULT: %SystemRoot%\system32\config\DEFAULT
• HKU\UserProfile: <profiles folder>\NTUSER.DAT

BCD: Boot configuration data replacing boot.ini
HARDWARE: maintains descriptions of the system’s hardware and all hardware device-to-driver mappings.
SAM: holds local account and group information.
SECURITY: stores system-wide security policies and user-rights assignments.
SOFTWARE: stores system-wide configuration information not needed to boot the system.
SYSTEM: contains the system-wide configuration information needed to boot the system.

Default Security Identifier(s) or SIDs;
• S-1–0–0 (Nobody): A group with no members
• S-1–1–0 (Everyone): A group that includes all users
• S-1–2–0 (Local): Users who logged on locally
• S-1–2–1 (Console Logon): Users on the physical console
• S-1–3–0 (Creator Owner): The user who created a new object
• S-1–3–1 (Creator Group): The primary group of the user who created a new object
• S-1–5–2 (Logon Network): Users logging on via network
• S-1–5–7 (Anonymous): Anonymous logged on users
• S-1–5–18 (Local System): The OS itself
• S-1–5–19 (Local Service): Service account
• S-1–5–20 (Network Service): Service account Installation dependent
• S-1–5–21-xxxxx-500: System’s Administrator
• S-1–5–32–544 (Administrators): Group of all administrators

Windows Computer Name Check
• SYSTEM\ControlSet00#\Control\ComputerName\ ComputerName

Windows Services Check
● SYSTEM\ControlSet00#\Service\
● SYSTEM\ControlSet00#\Service\<name>\Start

Value that determines how the service will behave:
● 0=boot
● 1 = system
● 2 = automatic
● 3 = manual
● 4 = disabled

Windows DHCP IP Address Check
● SYSTEM\ControlSet00#\Services\Tcpip\Parameters\Interfaces\{GUID}\DhcpIPAddress

Autoruns Check
To find which programs are started automatically when the system is turned on;

Remote Desktop
1 = RD is turned OFF 0 = RD is turned ON
● SYSTEM\ControlSet###\Control\TerminalServer\ fDenyTSConnections

Installed Applications Check
● HKLM\SOFTWARE\Microsoft\Windows\C.V.\App Paths
● HKLM\SOFTWARE\Microsoft\Windows\C.V.\Uninstall

Windows Recycle Bin Status
The settings are: 1 = bypass Recycle Bin 0 = move to Recycle Bin

IE TypedURLs
URLs entered in Internet Explorer (IE) can be found here.
● NTUSER.DAT\Software\Microsoft\Internet Explorer

IE Browser Settings
More IE Browser Settings and artifacts such as:
• Local page
• Start page
• Tabs
● NTUSER.DAT\Software\Microsoft\Internet Explorer\Main

Windows Firewall Check
The value 0 means OFF while 1 means it is ON.
● Private (standard)
● Public
● Domain

Network Types
1 — Wired, 2 — Broadband, 3 — Wireless

Network History

Last User Logged In
●SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLogged OnUser

Mounted Devices;
● HKLM\SYSTEM\MountedDevices

Drive Letters and Volume Names:
● SOFTWARE\Microsoft\Windows Portable Devices\Devices

Thank you again for reading. See you soon :)



Alican Kiraz

Blue Team Lead | CSIE | CSAE | CASP+ | eCIR | CPENT | eWPTXv2 | eCDFP | eCTHPv2 | OSWP | CEH Master | Pentest+ | CySA+ | Security+ | CEHv10 | ISO27001 IA