[podcast] Windows Registry, Runkeys, and where malware likes to hide

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

[podcast] Windows Registry, Runkeys, and where malware likes to hide

Author: BrBr | Published on June 30, 2016 | Views: 2037

The Windows Registry has come a long way from it’s humble beginnings in #Windows 3.11 (Windows for Workgroups).  This week, we discuss the structure of the Windows Registry, as well as some of the inner workings of the registry itself. Did you know that it is contained in specific files, located in %%Windows%%\system32, that are in a binary format? This makes them unreadable in Notepad, but regedit works just fine, as well as some specialized tools for forensics.

We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions.  Some of the things you might find in a Registry is a ‘Hive’, or the top level keys that everything descends from. In those Hives, you’ll find key/value pairs, much like in a JSON formatted API, using specific word types, like DWORD, QWORD, REG_SZ, and more.

And no podcast about Windows #forensics should be done without talking about a tool, and our friend David #Longenecker (@dnlongen on Twitter) created a cross-platform tool that allows you to take exports of the registry and analyze them without need to be physically on the host. This is a great tool for #DFIR people who can’t always be on an infected host when you need to analyze reg entries. You can find “reglister” here:



We finish up discussing our #DerbyCon giveaways and a peek at what will be a very interesting podcast next week.

Direct Link: Direct_to_mp3

iTunes: https://itunes.apple.com/us/podcast/2016-025-windows-registry/id799131292?i=1000371465676&mt=2


SoundCloud: https://soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake

#Facebook: https://www.facebook.com/BrakeingDownSec/

#Tumblr: http://brakeingdownsecurity.tumblr.com/

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/


Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?