> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/windows-priv-esc/windows-registry.md). # Windows Registry ## Folder/predefined key ### `HKEY_CURRENT_USER` * Contains the root of the configuration information for the user who is currently logged on. * The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile. * This key is sometimes abbreviated as `HKCU`. ### `HKEY_USERS` * Contains all the actively loaded user profiles on the computer. `HKEY_CURRENT_USER` is a subkey of `HKEY_USERS`. `HKEY_USERS` is sometimes abbreviated as `HKU`. ### `HKEY_LOCAL_MACHINE` * Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as `HKLM`. ### `HKEY_CLASSES_ROOT` * Is a subkey of `HKEY_LOCAL_MACHINE\Software`. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. * This key is sometimes abbreviated as `HKCR`. * Starting with Windows 2000, this information is stored under both the `HKEY_LOCAL_MACHINE` and `HKEY_CURRENT_USER` keys. The `HKEY_LOCAL_MACHINE\Software\Classes` key contains default settings that can apply to all users on the local computer. * The `HKEY_CURRENT_USER\Software\Classes` key has settings that override the default settings and apply only to the interactive user. * The `HKEY_CLASSES_ROOT` key provides a view of the registry that merges the information from these two sources. * `HKEY_CLASSES_ROOT` also provides this merged view for programs that are designed for earlier versions of Windows. * To change the settings for the interactive user, changes must be made under `HKEY_CURRENT_USER\Software\Classes` instead of under HKEY\_CLASSES\_ROOT. * To change the default settings, changes must be made under `HKEY_LOCAL_MACHINE\Software\Classes` .If you write keys to a key under `HKEY_CLASSES_ROOT`, the system stores the information under `HKEY_LOCAL_MACHINE\Software\Classes`. * If you write values to a key under `HKEY_CLASSES_ROOT`, and the key already exists under `HKEY_CURRENT_USER\Software\Classes`, the system will store the information there instead of under `HKEY_LOCAL_MACHINE\Software\Classes`. ### `HKEY_CURRENT_CONFIG` * Contains information about the hardware profile that is used by the local computer at system startup. ## Accessing registry hives offline * If you are accessing a live system, you will be able to access the registry using `regedit.exe`, and you will be greeted with all of the standard root keys we learned about in the previous task. * However, if you only have access to a disk image, you must know where the registry hives are located on the disk. The majority of these hives are located in the `C:\Windows\System32\Config` directory and are: * `DEFAULT` (mounted on `HKEY_USERS\DEFAULT`) * `SAM` (mounted on `HKEY_LOCAL_MACHINE\SAM`) * `SECURITY` (mounted on `HKEY_LOCAL_MACHINE\Security`) * `SOFTWARE` (mounted on `HKEY_LOCAL_MACHINE\Software`) * `SYSTEM` (mounted on `HKEY_LOCAL_MACHINE\System`) * Hives containing user information: * Apart from these hives, two other hives containing user information can be found in the User profile directory. For Windows 7 and above, a user’s profile directory is located in `C:\Users\\` where the hives are: * `NTUSER.DAT` (mounted on `HKEY_CURRENT_USER` when a user logs in) * `USRCLASS.DAT` (mounted on `HKEY_CURRENT_USER\Software\CLASSES`) * The `USRCLASS.DAT` hive is located in the directory `C:\Users\\AppData\Local\Microsoft\Windows`. * The `NTUSER.DAT` hive is located in the directory `C:\Users\\`. * Remember that NTUSER.DAT and USRCLASS.DAT are hidden files. ## The Amcache Hive: * Apart from these files, there is another very important hive called the `AmCache` hive. * This hive is located in `C:\Windows\AppCompat\Programs\Amcache.hve`. Windows creates this hive to save information on programs that were recently run on the system. ### Great Keys to Enumerate * Capture the output from these commands and save off. Will tell you alot about the system + give you further places to dig ````` # //HKCU ```` reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Load" reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drives MRU" ```` # //HKLM ```` reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\Run" reg query "HKLM\Software\CurrentControlSet\Control\Session Manager\KnownDLLs" reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\eventcollector" reg query "HKLM\Software\Microsoft\Windows Defender" reg query "HKLM\Software\wow6432node" reg query "HKLM\Software\Microsoft\Windows\CurrentVersion" reg query "HKLM\Software\wow6432node\Microsoft\Windows\CurrentVersion" ````` ### Enable multiple RDP sessions per user ``` reg add HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0 /f ``` * **Description:** *'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/windows-priv-esc/windows-registry.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.