I want to become more familiar with the registry. Suggestions plz.

Encrypted Existence

Encrypted Existence

Well-Known Member
Reaction score
87
Hello all. I can honestly say as a beginner tech that I have learned a lot since I started fixing computers. TN has been a great help! One thing that I am not confident with is my ability to work inside the Windows registry (especially as far as malware removal is concerned). I would like to give my customers the best service possible and give myself the greatest chance at success. I am planning on setting up a machine to practice cleaning malware infections from within the registry. I would like some suggestions on how to become more comfortable within the registry. How did you guys learn to work in the registry?(I reckon the I will get an overwhelming response of "jump on in and learn yourself" :p but I wanted to throw the question out there anyways.) Iwant to become comfortable with working in the registry not only for malware removal purposes but because I know that it will be essential to other parts tech work as well. Thanks!
 
Well like you said, it's best to jump and learn on a test system. Just remember to backup before you change anything. Also, make sure you backup and lastly, BACKUP!!!:D This cannot be stressed enough, never ever ever make any changes without backing up first.

The last thing you want to do is make some small change and find out later that the system no longer boots and you don't have backup. It's a lot easier to restore a reg file via cmd line then it is to try and figure out what caused the issue and manually fix it.

Regedit has it's own built in export option that I use before making any changes. It's super fast.
 
MotzTech said:
Well like you said, it's best to jump and learn on a test system. Just remember to backup before you change anything. Also, make sure you backup and lastly, BACKUP!!!:D This cannot be stressed enough, never ever ever make any changes without backing up first.

The last thing you want to do is make some small change and find out later that the system no longer boots and you don't have backup. It's a lot easier to restore a reg file via cmd line then it is to try and figure out what caused the issue and manually fix it.

Regedit has it's own built in export option that I use before making any changes. It's super fast.
Click to expand...

That is my plan. I'll infect a test machine and learn to clean up the remnants. Thanks for the reply.
 
For learning the registry, honestly you're just going to have to get used to what you see in there. Only repetition and experience enables me to look at certain values and know what is correct and what doesn't look right. Early on in my registry crawling days I would compare side by side certain values between a broken/infected system and a clean working system, both of the same OS of course. Late in my registry crawling days I got sick of the repetition, so I created D7's MalwareScan ;)

For infecting systems and looking for infected registry locations, learn to use a program called RegShot. It's available on sourceforge. You'll take a snapshot of the registry before the infection and another afterwards, and it will generate a report of new/modified/deleted registry keys. You can also set it to scan directories in the file system for file additions/modifications/deletions e.g. Windows and/or Application Data dirs in the user profile, etc.

The reports can be a little confusing to view at first, though. For one, they layout of the report is such that it lists a registry key with it's original value, then another with it's modified value directly below it.

Also in the reports you'll notice that some registry keys just change frequently regardless of what you do with the system, so perhaps it would be beneficial for you to start by taking snapshots of a clean system (both before and after) just to compare what values change normally. In between the clean snapshots you can do minor things like open a document, open/close IE, sort start menu icons by name, reboot or logoff/on, etc. to generate some of these events.
 
Last edited:
I would suggest setting up a VM to play with. You can make a snapshot of the system before you begin... If anything goes wrong you can revert back to before without any fuss or waiting.
 
phaZed said:
I would suggest setting up a VM to play with. You can make a snapshot of the system before you begin... If anything goes wrong you can revert back to before without any fuss or waiting.
Click to expand...

I will definitely use a VM for practice. Don't wanna sink my own machine! :D

@FoolishTech : I will take a look at RegShot. Sounds like it will help me learn. Thanks.
 
In terms of notable keys, you might find this reference doc from AccessData interesting: http://accessdata.com/downloads/media/Registry Quick Find Chart 7-22-08.pdf

It's meant as a reference for forensically useful information, but you can learn a lot about the registry by studying its information structure.

And, of course, messing with a VM is the ultimate learning tool. If you still count as a student, I'd suggest joining the ACM and using their MSDNAA to get your hands on legit Windows licenses and ISO's. Back when I was a student member, I grabbed everything I could.
 
A few things I'll mention...

First....as FoolishTech mentioned...most if it comes through repetition...see things over and over and over and over and over again year after year after year after year....in high numbers.

Second...there are 2 primary points which are easy to learn first...as a way to find where malware is loading.

HKCU\Software\Microsoft\Windows\Current Version\Run
and
HKLM\Software\Microsoft\Windows\Current Version\Run

You'll usually see loaders for malware being loaded there...often in long cryptic names. Be familiar with things that are normal in there...and you'll spot what shouldn't be there.

Rootkits on the other hand....they can load from much more hidden places in the registry, and they're nearly impossible to find. Just spend a few minutes expanding nearly everything you can in the registry (OK...spend a few hours)...and you'll see how overwhelming it is. So become familiar with the above 2 keys that I linked...and let anti malware software deal with the rest.

And don't get too caught up in "registry cleaner" overhype...buncha snake oil. The registry is really tiny...hardly takes a millisecond to load. Old broken links are just that...dead ends..broken links..they do not take up resources or slow your computer down. Once in a blue moon there is a legitimate error that you can quickly do homework on and manually delete the key causing an issue. But to leave "cleaning" to some cleaning program that just closes it's eyes and sweeps the dirt out...they often cause more harm than good. If I use a registry cleaner for some reason (it's rare)...I'll use a very gentle one that doesn't reach too deep...like the one built into CCleaner, or Eusing Free.
 
NerdDetective said:
In terms of notable keys, you might find this reference doc from AccessData interesting: http://accessdata.com/downloads/media/Registry Quick Find Chart 7-22-08.pdf

It's meant as a reference for forensically useful information, but you can learn a lot about the registry by studying its information structure.

And, of course, messing with a VM is the ultimate learning tool. If you still count as a student, I'd suggest joining the ACM and using their MSDNAA to get your hands on legit Windows licenses and ISO's. Back when I was a student member, I grabbed everything I could.
Click to expand...

I will be purchasing a Technet subscription soon so I will have access to legit licenses that way. Thanks.
 
YeOldeStonecat said:
A few things I'll mention...

First....as FoolishTech mentioned...most if it comes through repetition...see things over and over and over and over and over again year after year after year after year....in high numbers.

Second...there are 2 primary points which are easy to learn first...as a way to find where malware is loading.

HKCU\Software\Microsoft\Windows\Current Version\Run
and
HKLM\Software\Microsoft\Windows\Current Version\Run

You'll usually see loaders for malware being loaded there...often in long cryptic names. Be familiar with things that are normal in there...and you'll spot what shouldn't be there.

Rootkits on the other hand....they can load from much more hidden places in the registry, and they're nearly impossible to find. Just spend a few minutes expanding nearly everything you can in the registry (OK...spend a few hours)...and you'll see how overwhelming it is. So become familiar with the above 2 keys that I linked...and let anti malware software deal with the rest.

And don't get too caught up in "registry cleaner" overhype...buncha snake oil. The registry is really tiny...hardly takes a millisecond to load. Old broken links are just that...dead ends..broken links..they do not take up resources or slow your computer down. Once in a blue moon there is a legitimate error that you can quickly do homework on and manually delete the key causing an issue. But to leave "cleaning" to some cleaning program that just closes it's eyes and sweeps the dirt out...they often cause more harm than good. If I use a registry cleaner for some reason (it's rare)...I'll use a very gentle one that doesn't reach too deep...like the one built into CCleaner, or Eusing Free.
Click to expand...

Thanks for the advice! It's good to have some seasoned vets to get advice from in these situations. Thanks.
 
If you want to learn about how Windows works and what it's doing under the hood as it were then invest in Russinovitch's Windows Internals.

Not exactly light reading mind.


I believe the 6th edition is out in April but is even bigger and is coming in two volumes!
 
MobileTechie said:
If you want to learn about how Windows works and what it's doing under the hood as it were then invest in Russinovitch's Windows Internals.

Not exactly light reading mind.


I believe the 6th edition is out in April but is even bigger and is coming in two volumes!
Click to expand...

Thanks for the reminder...I actually have the latest version so I think I may give it a read (parts of it that is). I read about fifty pages of it some months ago and you are correct when you say that it is not light reading! :o I am definitely gonna go the hands on learning route as well and set up a VM.
 
I would suggest a reg comparison program to scan the reg before any changes and after changes.. Thats how I learn and use google... There are list of reg files that will do sertin things.. you can start with them.. I would rec when messing with reg and learn how it work use a virtual PC like VMware or virtual Box
 
You must log in or register to reply here.

Similar threads

G
[REQUEST] Sync Windows Outlook Calendar with iPhone 12
Replies
10
Views
837
Sky-Knight
Sky-Knight
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
3K
GTP
GTP
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
93
callthatgirl
callthatgirl
callthatgirl
Outlook Classic to New Outlook Autocomplete
Replies
0
Views
336
callthatgirl
callthatgirl
thecomputerguy
I cannot possibly see how this MX record swap is going to work...
Replies
2
Views
762
thecomputerguy
thecomputerguy
Back
Top