reg.exe

  • File Path: C:\Windows\SysWOW64\reg.exe
  • Description: Registry Console Tool

Hashes

Type Hash
MD5 DACAC17455D4EEFE433B41BA82CD106F
SHA1 F590419F8327BC2CAC08FBAC4D28E32EB3759B43
SHA256 E3046D83040D114AF09C6B7738F69B14EC180ECE999573489A7D3386E4ABABB5
SHA384 00F72475B9A809D48650F05FF3F6990BE84AAE6D161E655221C19864FC8DF56372661154538ED7898688ABEA4FC33029
SHA512 01F73139F1BF0A57A067F8E8B90604ED4B962A50767B294299EF02FD3547479DB661F3020EC8430315813B137F4C3CE45204ED755817F8FF16C5B54657073964
SSDEEP 1536:R5K+dgNJbFk/wvzA2m6rhoBC8yBt3DQBXvSvODF6fO:rKFJhk/wvznm63Bt3DQBX6vO562
IMP 869B9FF91668F96EF68FBE0DB3602587
PESHA1 6FEB8B9ACFC6ED0D1C8686733CAEAF9139B9B5D0
PE256 D205DB536ED98E8DC737577ED3A85ABA49A0E557F5395DE10F7AC0CEDF30678A

Runtime Data

Usage (stdout):


REG Operation [Parameter List]

  Operation  [ QUERY   | ADD    | DELETE  | COPY    |
               SAVE    | LOAD   | UNLOAD  | RESTORE |
               COMPARE | EXPORT | IMPORT  | FLAGS ]

Return Code: (Except for REG COMPARE)

  0 - Successful
  1 - Failed

For help on a specific operation type:

  REG Operation /?

Examples:

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?
  REG FLAGS /?

Usage (stderr):

ERROR: Invalid Argument/Option - '--help'.
Type "REG /?" for usage.

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: reg.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/e3046d83040d114af09c6b7738f69b14ec180ece999573489a7d3386e4ababb5/detection/

Possible Misuse

The following table contains possible examples of reg.exe being misused. While reg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\reg.exe' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_dec20.yml - 'reg.exe save hklm\sam %temp%\~reg_sam.save' DRL 1.0
sigma proc_creation_win_control_panel_item.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_enumeration_for_credentials_in_registry.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_grabbing_sensitive_hives_via_reg.yml description: Dump sam, system or security hives using REG.exe utility DRL 1.0
sigma proc_creation_win_grabbing_sensitive_hives_via_reg.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\reg.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\reg.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - reg.exe DRL 1.0
sigma proc_creation_win_query_registry.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_reg_add_run_key.yml description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry DRL 1.0
sigma proc_creation_win_reg_defender_exclusion.yml description: Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData. DRL 1.0
sigma proc_creation_win_reg_defender_exclusion.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_reg_service_imagepath_change.yml title: Service ImagePath Change with Reg.exe DRL 1.0
sigma proc_creation_win_reg_service_imagepath_change.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_software_discovery.yml Image\|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion DRL 1.0
sigma proc_creation_win_susp_direct_asep_reg_keys_modification.yml description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. DRL 1.0
sigma proc_creation_win_susp_direct_asep_reg_keys_modification.yml Image\|endswith: '\reg.exe' DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml - 'reg.exe' DRL 1.0
sigma proc_creation_win_susp_machineguid.yml Image\|endswith: \reg.exe DRL 1.0
sigma proc_creation_win_susp_reg_disable_sec_services.yml description: Detects a suspicious reg.exe invocation that looks as if it would disable an important security service DRL 1.0
sigma proc_creation_win_susp_screensaver_reg.yml title: Suspicious ScreenSave Change by Reg.exe DRL 1.0
sigma proc_creation_win_susp_screensaver_reg.yml Image\|endswith: reg.exe DRL 1.0
LOLBAS Reg.yml Name: Reg.exe  
LOLBAS Reg.yml - Path: C:\Windows\System32\reg.exe  
LOLBAS Reg.yml - Path: C:\Windows\SysWOW64\reg.exe  
LOLBAS Reg.yml - IOC: reg.exe writing to an ADS  
LOLBAS SettingSyncHost.yml Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32.  
LOLBAS Wmic.yml - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"  
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #8: Disable UAC using reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Service ImagePath Change with reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #8: Disable UAC using reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Service ImagePath Change with reg.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1037.001.md REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d “#{script_path}” /f MIT License. © 2018 Red Canary
atomic-red-team T1037.001.md REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md reg.exe add “HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam” /v ART /t REG_SZ /d “U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=” MIT License. © 2018 Red Canary
atomic-red-team T1112.md Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message “The operation completed successfully.” MIT License. © 2018 Red Canary
atomic-red-team T1137.004.md reg.exe add HKCU\Software\Microsoft\Office#{outlook_version}\Outlook\WebView#{outlook_folder} /v URL /t REG_SZ /d #{url} /f MIT License. © 2018 Red Canary
atomic-red-team T1137.004.md reg.exe delete HKCU\Software\Microsoft\Office#{outlook_version}\Outlook\WebView#{outlook_folder} /v URL /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaveActive /t REG_SZ /d 1 /f MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaveTimeout /t REG_SZ /d 60 /f MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaverIsSecure /t REG_SZ /d 0 /f MIT License. © 2018 Red Canary
atomic-red-team T1546.002.md reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v SCRNSAVE.EXE /t REG_SZ /d “%SystemRoot%\System32\evilscreensaver.scr” /f MIT License. © 2018 Red Canary
atomic-red-team T1546.010.md reg.exe import #{registry_file} MIT License. © 2018 Red Canary
atomic-red-team T1546.010.md reg.exe import #{registry_cleanup_file} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #8 - Disable UAC using reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d “#{executable_binary}” /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d “#{executable_binary}” /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v “DelegateExecute” /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #8 - Disable UAC using reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f MIT License. © 2018 Red Canary
atomic-red-team T1574.011.md - Atomic Test #2 - Service ImagePath Change with reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.011.md ## Atomic Test #2 - Service ImagePath Change with reg.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.011.md reg.exe add “HKLM\SYSTEM\CurrentControlSet\Services#{weak_service_name}” /f /v ImagePath /d “#{malicious_service_path}” MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


reg commands

Performs operations on registry subkey information and values in registry entries.

Some operations enable you to view or configure registry entries on local or remote computers, while others allow you to configure only local computers. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations. Check the syntax and parameters for each operation to verify that they can be used on remote computers.

[!CAUTION] Don’t edit the registry directly unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can degrade performance, damage your system, or even require you to reinstall Windows. You can safely alter most registry settings by using the programs in Control Panel or Microsoft Management Console (MMC). If you must edit the registry directly, back it up first.

Syntax

reg add
reg compare
reg copy
reg delete
reg export
reg import
reg load
reg query
reg restore
reg save
reg unload

Parameters

Parameter Description
reg add Adds a new subkey or entry to the registry.
reg compare Compares specified registry subkeys or entries.
reg copy Copies a registry entry to a specified location on the local or remote computer.
reg delete Deletes a subkey or entries from the registry.
reg export Copies the specified subkeys, entries, and values of the local computer into a file for transfer to other servers.
reg import Copies the contents of a file that contains exported registry subkeys, entries, and values into the registry of the local computer.
reg load Writes saved subkeys and entries into a different subkey in the registry.
reg query Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry.
reg restore Writes saved subkeys and entries back to the registry.
reg save Saves a copy of specified subkeys, entries, and values of the registry in a specified file.
reg unload Removes a section of the registry that was loaded using the reg load operation.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.