Contents x
    Registry
    • 09 Apr 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents
      This documentation version is deprecated, please click here for the latest version.

    Registry

    • Updated on 09 Apr 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    General references on the Windows registry are available here and here.

    LimaCharlie's EDR Sensor observes the Windows Registry from kernel-mode. Registry hive naming conventions are specific to the operating system version, but may also have a different object representation, depending on kernel-mode observation.

    For example, many are familiar with the user-mode handle of HKEY_LOCAL_MACHINE, often abbreviated to HKLM. The corresponding kernel-mode object name for the same hive is \Registry\Machine. More information on registry key object routines can be found at this Microsoft reference.

    REGISTRY_CREATE

    This event is generated whenever a registry key / value is created on a Windows OS.

    Platforms:

    {
  "PROCESS_ID":  764,
  "REGISTRY_KEY":   "\\REGISTRY\\A\\{fddf4643-a007-4086-903e-be998801d0f7}\\Events\\{8fb5d848-23dc-498f-ac61-84b93aac1c33}"
}

    REGISTRY_DELETE

    This event is generated whenever a registry key / value is deleted on a Windows OS.

    Platforms:

    {
  "PROCESS_ID":  764,
  "REGISTRY_KEY":   "\\REGISTRY\\A\\{fddf4643-a007-4086-903e-be998801d0f7}\\Events\\{8fb5d848-23dc-498f-ac61-84b93aac1c33}"
}

    REGISTRY_WRITE

    This event is generated whenever a registry value is written to on a Windows OS.

    The REGISTRY_VALUE contains the first 16 bytes of the value written to the registry. If this value is a valid ASCII or Unicode string, the value will be as-is. On the other hand if the value is binary data, it will be a base64 encoded string, see examples below.

    The SIZE is the size value used in the original registry write call. The TYPE is the Windows data type of the entry written as per Microsoft's definition.

    Platforms:

    Valid string payload:

    {
  "PROCESS_ID":1820,
  "REGISTRY_KEY":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Diagnostics\\LastKnownGoodPlatformLocation",
  "REGISTRY_VALUE":"C:\\Progr",
  "SIZE":1,
  "TYPE":1,
}

    Binary payload:

    {
  "PROCESS_ID": 1700,
  "REGISTRY_KEY": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\HeartBeats\\Default\\LastHeartBeatTime",
  "REGISTRY_VALUE": "bMPGjjDM1wE=",
  "SIZE": 11,
  "TYPE": 11
}
    Was this article helpful?
    What's Next