reg.exe

  • File Path: C:\Windows\system32\reg.exe
  • Description: Registry Console Tool

Hashes

Type Hash
MD5 227F63E1D9008B36BDBCC4B397780BE4
SHA1 C0DB341DEFA8EF40C03ED769A9001D600E0F4DAE
SHA256 C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D
SHA384 293A81EC3B67A98E87A02B2EDEBCF5571DCB452138AF829E5440ACA29F0B2212A3F139B53DECD4107DCD007C84E4D5DD
SHA512 101907B994D828C83587C483B4984F36CAF728B766CB7A417B549852A6207E2A3FE9EDC8EFF5EEAB13E32C4CF1417A3ADCCC089023114EA81974C5E6B355FED9
SSDEEP 1536:/ZsKjopjN/cYXsuMdCAOznsA5q+oxxhRO+sAg9RyTVZiJXpnvo/vrK:FW5nspdCbzpq+iLcqjWXpvo/vm
IMP BE482BE427FE212CFEF2CDA0E61F19AC
PESHA1 17B18DA9AC00F6F4711154E04D226E74E1FBC800
PE256 4D4D884EC8F5B600B2D2F31A941FFD7E6F40168ACFDBD590AAE14826C5CEC509

Runtime Data

Usage (stdout):


REG Operation [Parameter List]

  Operation  [ QUERY   | ADD    | DELETE  | COPY    |
               SAVE    | LOAD   | UNLOAD  | RESTORE |
               COMPARE | EXPORT | IMPORT  | FLAGS ]

Return Code: (Except for REG COMPARE)

  0 - Successful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?
  REG FLAGS /?

Usage (stderr):

ERROR: Invalid Argument/Option - '--help'.
Type "REG /?" for usage.

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\reg.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: reg.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d/detection

Possible Misuse

The following table contains possible examples of reg.exe being misused. While reg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\reg.exe' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_dec20.yml - 'reg.exe save hklm\sam %temp%\~reg_sam.save' DRL 1.0
sigma proc_creation_win_control_panel_item.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_enumeration_for_credentials_in_registry.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_grabbing_sensitive_hives_via_reg.yml description: Dump sam, system or security hives using REG.exe utility DRL 1.0
sigma proc_creation_win_grabbing_sensitive_hives_via_reg.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\reg.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\reg.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - reg.exe DRL 1.0
sigma proc_creation_win_query_registry.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_reg_add_run_key.yml description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry DRL 1.0
sigma proc_creation_win_reg_defender_exclusion.yml description: Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData. DRL 1.0
sigma proc_creation_win_reg_defender_exclusion.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_reg_service_imagepath_change.yml title: Service ImagePath Change with Reg.exe DRL 1.0
sigma proc_creation_win_reg_service_imagepath_change.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_software_discovery.yml Image\|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion DRL 1.0
sigma proc_creation_win_susp_direct_asep_reg_keys_modification.yml description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. DRL 1.0
sigma proc_creation_win_susp_direct_asep_reg_keys_modification.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml - 'reg.exe' DRL 1.0
sigma proc_creation_win_susp_machineguid.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_susp_reg_disable_sec_services.yml description: Detects a suspicious reg.exe invocation that looks as if it would disable an important security service DRL 1.0
sigma proc_creation_win_susp_screensaver_reg.yml title: Suspicious ScreenSave Change by Reg.exe DRL 1.0
sigma proc_creation_win_susp_screensaver_reg.yml Image\|endswith: reg.exe DRL 1.0
LOLBAS Reg.yml Name: Reg.exe  
LOLBAS Reg.yml - Path: C:\Windows\System32\reg.exe  
LOLBAS Reg.yml - Path: C:\Windows\SysWOW64\reg.exe  
LOLBAS Reg.yml - IOC: reg.exe writing to an ADS  
LOLBAS SettingSyncHost.yml Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.  
LOLBAS Wmic.yml - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"  
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #8: Disable UAC using reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Service ImagePath Change with reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #8: Disable UAC using reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Service ImagePath Change with reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1037.001.md REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d “#{script_path}” /f MIT License. © 2018 Red Canary
atomic-red-team T1037.001.md REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md reg.exe add “HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam” /v ART /t REG_SZ /d “U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=” MIT License. © 2018 Red Canary
atomic-red-team T1112.md Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message “The operation completed successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1137.004.md reg.exe add HKCU\Software\Microsoft\Office#{outlook_version}\Outlook\WebView#{outlook_folder} /v URL /t REG_SZ /d #{url} /f MIT License. © 2018 Red Canary
atomic-red-team T1137.004.md reg.exe delete HKCU\Software\Microsoft\Office#{outlook_version}\Outlook\WebView#{outlook_folder} /v URL /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaveActive /t REG_SZ /d 1 /f MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaveTimeout /t REG_SZ /d 60 /f MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaverIsSecure /t REG_SZ /d 0 /f MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v SCRNSAVE.EXE /t REG_SZ /d “%SystemRoot%\System32\evilscreensaver.scr” /f MIT License. © 2018 Red Canary
atomic-red-team T1546.010.md reg.exe import #{registry_file} MIT License. © 2018 Red Canary
atomic-red-team T1546.010.md reg.exe import #{registry_cleanup_file} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #8 - Disable UAC using reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d “#{executable_binary}” /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d “#{executable_binary}” /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v “DelegateExecute” /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #8 - Disable UAC using reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f MIT License. © 2018 Red Canary
atomic-red-team T1574.011.md - Atomic Test #2 - Service ImagePath Change with reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.011.md ## Atomic Test #2 - Service ImagePath Change with reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.011.md reg.exe add “HKLM\SYSTEM\CurrentControlSet\Services#{weak_service_name}” /f /v ImagePath /d “#{malicious_service_path}” MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


reg commands

Performs operations on registry subkey information and values in registry entries.

Some operations enable you to view or configure registry entries on local or remote computers, while others allow you to configure only local computers. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations. Check the syntax and parameters for each operation to verify that they can be used on remote computers.

[!CAUTION] Don’t edit the registry directly unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can degrade performance, damage your system, or even require you to reinstall Windows. You can safely alter most registry settings by using the programs in Control Panel or Microsoft Management Console (MMC). If you must edit the registry directly, back it up first.

Syntax

reg add
reg compare
reg copy
reg delete
reg export
reg import
reg load
reg query
reg restore
reg save
reg unload

Parameters

Parameter Description
reg add Adds a new subkey or entry to the registry.
reg compare Compares specified registry subkeys or entries.
reg copy Copies a registry entry to a specified location on the local or remote computer.
reg delete Deletes a subkey or entries from the registry.
reg export Copies the specified subkeys, entries, and values of the local computer into a file for transfer to other servers.
reg import Copies the contents of a file that contains exported registry subkeys, entries, and values into the registry of the local computer.
reg load Writes saved subkeys and entries into a different subkey in the registry.
reg query Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry.
reg restore Writes saved subkeys and entries back to the registry.
reg save Saves a copy of specified subkeys, entries, and values of the registry in a specified file.
reg unload Removes a section of the registry that was loaded using the reg load operation.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.