This is the first in a series of blog posts where we dive into our systems to find Indicator of Compromise (IoC). No, not the Olympic committee. These are clues to tell us we have something running malicious. It could have been placed there by a hacker, but 99 times out of a hundred, it was a Drive-By-Download.

The Windows Registry functions as the brain of a Windows computer. The physical computer is the body, including the hard drive that stores data, programs, and logs. But, without the Registry to tell the system how and when to load which programs and with what attributes, the computer would be useless. If your computer is slow, this may hold the key. If not, learn how to speed up your Internet here (Link).

Isn’t The Registry…Dangerous?

Yes! I often refer to the Windows Registry as the brain of the computer. In fact, if you modify certain keys inside the Registry, you absolutely can make your computer brain dead! So, for the purpose of this blog, we will be using a built-in read-only tool called “reg query” at the command line. No, we won’t use the Graphic User Interface (GUI) for this one. Don’t panic! You can do this. We’ll copy and paste to make it simple!

Why Do We Care

Because the Windows Registry loads with the earliest components of Windows and directs everything else, it is the perfect place to drop in malicious programs and scripts. Back in the old days before the fear of Ransomware, I was a computer technician for home users. You would not believe some of the malware and spyware they picked up on, um, unsavory sites. Read the Privacy tips everyone should know here (Link).

Most malicious bugs then and now disguise themselves as legitimate programs or Internet browser pop-ups. If you’ve read anything I’ve ever written, you know I always say, “do not click on browser pop-ups!” When you do, you are giving the software permission to run, by-passing your antivirus and Endpoint Detection and Response (EDR) software. This is also possible in corporate environments where users have Administrator privilege on their local computers.

Registry Hides Things Well

As a hacker, if I can access one computer or device on your network, with time, I can get into all of them. Let’s dive into the registry and see what loads with the computer. But first, let’s first explain how the Registry sets up these programs to load and when.

The Registry is separated for Human viewing into five (5) main categories. I say “Human viewing” because this is a graphical representation of the registry hive. It’s much more fluid than what we see and some data is actually visible in multiple places. We are only concerned with Current User and Local Machine.

Note there are several other places malicious programs could be hiding in the Registry. If you want to see all the Registry keys we scan in our System Health Checks, reach out. Here is a webpage if you’re adventurous (Link).

Query, Don’t Open, The Registry

To access the Command Line Interface (CLI) from Windows, you have a few options. You can type “cmd” (without the quotes) in the Search bar. If you don’t have a Search bar, you can press the Windows Key + R to get a Run command and type “cmd” there. DO NOT open Command Prompt as administrator. You don’t need that level of privilege. We’re just window shopping.

Once inside the command prompt, you can enter each of the following commands one at a time. Copy and paste works best unless your typing skills are superb. Mine are not.

• Reg query hkey_local_machine\software\microsoft\windows\currentversion\run
• Reg query hkey_local_machine\software\microsoft\windows\currentversion\runonce
• Reg query hkey_current_user\software\microsoft\windows\currentversion\run
• Reg query hkey_current_user\software\microsoft\windows\currentversion\runonce
  
  

Let’s see what my computer is hiding!

Yes, it shows a complex bundle of information. Each of these entries is an application or service set to run when the system starts. Every time. The first column is the name, which can be fake. Second column is the entry type and you can safely ignore that. The third column is the actual filename with location.

Honestly, the first time you look, none of the programs look legitimate. But, all of these are. The first one is the SecurityHealthSystray from Microsoft. Second is the Realtek Audio driver. The others are BitDefender, my Endpoint Detection and Response (EDR) software. Look for keywords in the filepath string. Now let’s see the others.

The RunOnce keys are typically used to clear caches, run updates to make one-time changes. There are often entries for Microsoft Edge. You’ll see there currently are no pending one-time changes on my computer.

Like my Local Machine entries, Current User run shows several entries. Just reading through, though, and they all appear legitimate. Local Machine typically handles programs that will load even if no users are logged in. Current User can be different for each user.

Nothing To Fear

What you will find looking through your own computer is those annoying applications that always start when Windows starts. This is where you can remove them if you can’t find the “Do Not Start With Windows” option in the program’s settings. That can only be done through the Regedit application and I warn you, proceed with caution!

So what if you have a program you don’t recognize or entry that ends with the .ps1 extension? First, don’t panic. It’s most likely an obscure helper program for a legitimate application. However, if you see something like the picture, call me immediately! You have picked up something somewhere that your antivirus didn’t catch. You can read more about the malware in the picture here (Link). Mac does not have a registry per se. However, you can see what is loading by following the instructions on this webpage (Link).