Checking your Windows Registry Pt. 1(Keys where viruses might hide)

in #windows6 years ago (edited)

Pic.png

The Registry:

What is the Windows Registry? The Registry is a database containing several entries concerning Windows system settings and processes. The Registry is divided into five so called root keys(sometimes referred to as Hives). These contain subkeys which contain some sort of data.

firstreal.png

You can open the registry via regedit. Simply type and open regedit in your search window on your windows.

The Five Hives:

  • HKEY_CLASSES_ROOT: This is the Key containing entries for file extensions, so Windows knows what to do with certain files. Furthermore HKEY_CLASSES_ROOT contains entries for so called COM-Objects(No need to worry about them right now).

  • HKEY_CURRENT_USER: This Hive contains all the settings for the currently logged-in user.

  • HKEY_LOCAL_MACHINE: In HKEY_LOCAL_MACHINE we have all entries related to the local computer you‘re sitting in front of.

  • HKEY_USERS: Here we can find entries for all user profiles that are loaded on the machine.

  • HKEY_CURRENT_CONFIG: This Hive contains entries generated at boot time for all the program and hardware configuration.

Interesting Keys to look for:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

All of the above keys are of interest to us because the entries in these keys are the programs that start when you either log in to your account or when you start the computer. The Keys under HKEY_CURRENT_USER are the programs that start on login while the entries under HKEY_LOCAL_MACHINE are the programs that start on switching on the computer.

2ndrun.png

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Here you can see a list of services in the subkeys. If you click on one you can see several values. Interesting here is the value we find at start. A value of 4 means a service is disabled while 3 means that a service need to be run manually. A value of to 2 means this service starts automatically.

4thservice.png

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

The entries in this key tell us which programs were opened via run. So if you see a program here that you didn‘t even know existed, it means that you might want investigate further.

3rdmru.png

These are only some of the interesting keys. Next time we will look at some other interesting entries in the registry while we‘ll get to learn new ways to interact with the registry.

Sort:  

Congratulations @toalsty! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You made more than 500 upvotes. Your next target is to reach 600 upvotes.

Click here to view your Board
If you no longer want to receive notifications, reply to this comment with the word STOP

Support SteemitBoard's project! Vote for its witness and get one more award!