Registry Items
Overview
Section titled “Overview”Evidence: Registry Items
Description: Enumerate Registry Items
Category: System
Platform: windows
Short Name: rgstrpr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows registry contains numerous locations where programs can register themselves to run automatically at system startup, user logon, or specific events. Attackers commonly abuse these registry keys to establish persistence.
The collector examines dozens of known autorun registry locations used by both legitimate software and malware for persistence.
Data Collected
Section titled “Data Collected”This collector gathers structured data about registry items.
Registry Items Data
Section titled “Registry Items Data”| Field | Description | Example |
|---|---|---|
KeyPath | Full registry key path | HKLM\Software\Microsoft\Windows\CurrentVersion\Run |
View | Registry view (32-bit or 64-bit) | 256 |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
Is32Bit | Whether this is 32-bit registry view | TRUE |
EntryName | Registry value or entry name | GoogleUpdate |
CommandLine | Command line to execute | ”C:\Program Files\Google\Update\GoogleUpdate.exe” /c |
AutorunsRegistryRowID | Foreign key to main entry | 1 |
Collection Method
Section titled “Collection Method”This collector:
- Loads autorun definitions from embedded JSON resource
- Searches for registry keys matching patterns
- Examines both 32-bit and 64-bit registry views
- Parses command lines to extract executables and arguments
- Resolves CLSID references to file paths
- Collects file information for all referenced executables
Common persistence locations include:
HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce- Shell extensions and explorer add-ons
- Winlogon registry keys
- Active Setup entries
- And many other documented persistence locations
Forensic Value
Section titled “Forensic Value”Registry persistence enumeration is essential for detecting malware and unauthorized software. Investigators use this data to identify malicious autoruns, detect persistence mechanisms, track installed software that runs at startup, identify suspicious registry modifications, correlate persistence with malware execution, detect Living Off the Land binaries, and validate system baseline configurations.