Ready to Start Your Career?

[podcast] Windows Registry, Runkeys, and where malware likes to hide

BrBr 's profile image

By: BrBr

June 30, 2016

[embed][/embed]The Windows Registry has come a long way from it's humble beginnings in#Windows 3.11 (Windows for Workgroups).  This week, we discuss the structure of the Windows Registry, as well as some of the inner workings of the registry itself. Did you know that it is contained in specific files, located in %%Windows%%\system32, that are in a binary format? This makes them unreadable in Notepad, but regedit works just fine, as well as some specialized tools for forensics.We also discuss where are some good places to find malware, some of the key values that you can find in the#registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions.  Some of the things you might find in a Registry is a 'Hive', or the top level keys that everything descends from. In those Hives, you'll find key/value pairs, much like in a JSON formatted API, using specific word types, like DWORD, QWORD, REG_SZ, and more.And no podcast about Windows#forensics should be done without talking about a tool, and our friend David #Longenecker (@dnlongen on Twitter) created a cross-platform tool that allows you to take exports of the registry and analyze them without need to be physically on the host. This is a great tool for #DFIR people who can't always be on an infected host when you need to analyze reg entries. You can find "reglister" here: We finish up discussing our#DerbyCon giveaways and a peek at what will be a very interesting podcast next week.Direct Link: Direct_to_mp3iTunes: SoundCloud:, Questions, Feedback: bds.podcast@gmail.comSupport Brakeing Down Security Podcast on#Patreon: @brakesec @boettcherpwned @bryanbrake#Facebook: : Network: Radio App: 
Schedule Demo