Microsoft Windows Registry Security

From Free Knowledge Base- The DUCK Project: information for everyone
Revision as of 16:32, 19 February 2015 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The registry is a database in Windows that contains information about system hardware, installed programs and settings, and profiles of each of the user accounts on your computer. Windows and most software running in windows continually refers to the information in the registry. It is not a requirement for a Windows application to use Windows Registry, although the Windows Registry is designed to store application settings in one logical repository.

Although there are many advantages to the Windows Registry hierarchical database, there are some critical disadvantages from the user point of view. Because the Windows registry is very obfuscated, often times intentionally, unwanted data entries can be added without the user's knowledge. Also, software that adds entries into the registry when installed, often fails to clean those entries up by removal when uninstalled. The Windows registry can become bloated with broken and unused entries. Furthermore, malicious software can embed entries into the registry, such as start-up entries for a virus.

Trial software uses the Windows registry to create hidden data that can keep track of when you installed the software, if you have paid for the software, and if the software should be expired. These entries are also retained so that if you attempt to remove and reinstall the software, expiration status can be retained.

Using a Windows native API, registry keys can be created by software as the programmers intention, to hide or obfuscate data using embedded nulls in the key names. In this way, even if the registry key name is known, it does not appear in the Windows registry editor and cannot be easily removed by the user. All Registry keys may be restricted by access control lists (ACLs), depending on user privileges, or on security tokens acquired by applications, or on system security policies.

Other aspect of Windows security is discussed on the Windows Security Page.

Microsoft Windows Predefined Root Keys

In a typical Windows XP/2000 machine.

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • KEY_LOCAL_MACHINE
  • KEY_USERS
  • HKEY_CURRENT_CONFIG

These keys remain fairly consistent in versions since XP - 2007. The keys at the root level of the hierarchical database are generally named by their Windows API definitions, which all begin "HKEY". The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives have a similar structure to each other.

Even though the Registry presents itself as an integrated hierarchical database, branches of the Registry are actually stored in a number of disk files called hives. Some hives are volatile and are not stored on disk at all. Individual settings for users on a system is stored in a hive as a file on the drive, one per user.

Specific Registry Keys

Startup Programs

Software that is third-party which is loaded when Windows is loaded, or a user logs in can be stored in the registry. The following two registry keys are responsible for loading these auto-start programs.

  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  2. KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the first the program would start on user login, and only for that user. The second will load for any user when the Windows session begins.

A common example of a startup program is GoogleUpdate.exe which is added by Google software such as the Google Chrome web browser. The key pair looks like this:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Update
  • REG_SZ "C:\Documents and Settings\nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

Although GoogleUpdate.exe is generally considered benign, the risk is in what a virus hacker can do to disguise malware. The developer of a virus, being aware that people ignore GoogleUpdate.exe, may replace it will a virus using the same name. In this event, the virus is auto-loaded with Windows and the user sees only what is perceived to be the harmless GoogleUpdate program. Because GoogleUpdate runs silently in the background (TSR) there is no interface, also a trait of a virus.

Checking the Default Web Browser

Applies to Windows XP - Windows 7 and possibly higher.

There are two types of default browser setting. They are typically set to the same browser. One type of setting controls what browser opens when you click on a web document saved to the hard drive. The other determines what browser opens when you attempt to go directly to a web site via the http protocol such as entering the address in the Run -> Open dialog.

Default browser that opens when html file is clicked

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList

Default browser that opens when http protocol used (going to web site)

  • HKEY_CURRENT_USER\Software\Classes\http\shell\open\command

These are typically both set by your favorite web browser. They can be hijacked by a rogue program or intermediary. Check them via the Registry Editor regedit.exe to manually example their value.

Security

Most commercial anti-virus includes some sort of active registry monitoring. It attempts to notify the user on changes to the registry that may be harmful such as the inclusion of startup keys by a virus. The success of such monitoring software largely depends on how threats are detected, often matching entries against an internal database. It is difficult to determine with complete accuracy what changes to the registry are legitimate by running software and what changes are malicious. There is also gray area depending on what a user considers to be malicious.

Recommended Security Measures to Protect the Integrity of the Registry

  • Create regular manual backups of the registry hives
  • Use Microsoft System Restore which includes registry backup
  • Use Registry monitoring software such as a good Anti-Virus

Tracking Changes

There are two fundamental approaches to detecting changes to the Windows registry. One is to take a snapshot of the registry, and then later take another and do a comparison. This approach is thorough but very slow. A second approach involves active, real-time monitoring. This approach may be slightly less reliable, however, is more useful for detecting changes as they happen. A disadvantage of real-time monitoring is that the TSR will utilize some resources as it runs and may make a slower PC seem to run even slower still.

  • snapshot and compare - no real-time performance loss, thorough, however a slow process to create the snapshot and compare.
  • real-time monitoring - quickly detect or even intercept changes to the registry. may negatively impact system speed.

Detecting changes to the registry, and stopping unwanted changes is a common part of a Host Intrusion Prevention System. Most contemporary security tools to accomplish this are part of a larger commercial antivirus security suite or so-called host firewall. Individual utilities to accomplish this are also available, such as MJ Registry Watcher and Regshot.