regini.exe
- File Path:
C:\windows\SysWOW64\regini.exe - Description: Registry Initializer
Hashes
| Type | Hash |
|---|---|
| MD5 | 50752D2AEDF0E27FF7EFCA584755A203 |
| SHA1 | 8003285582FB19C7018242FB2CA2FE78D0521774 |
| SHA256 | CED97AC768997B34FC37E4661E66EBF3D253CB068931BB4F2FAF1DDDED3016DC |
| SHA384 | 1C885CE9E74CB85377736A455CE05315399BD8BC597C533FF1DE650351D19F6084BB881802D4F6BD3DDE5C12BDED0EA1 |
| SHA512 | 3F16540C12F416651D3D3BFA13D6B2825E2CB327AD73D993D1F756E565BB79CF03961F39C5BDC5017BBE2D021764D6ACC839D9B2C0FC6EFCFA7BF37C59B6D695 |
| SSDEEP | 768:HvGV2EIgkhyilb1143tN37BR2BTyOd78DNeo+ERHCQhBhT1dGt2:H5Ec43tN37ATy678ReojRHCQJHGt2 |
Signature
- Status: The file C:\windows\SysWOW64\regini.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: REGINI.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
- Product Version: 6.3.9600.17415
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\SysWOW64\regini.exe | 43 |
| C:\Windows\SysWOW64\regini.exe | 35 |
| C:\WINDOWS\SysWOW64\regini.exe | 36 |
| C:\WINDOWS\SysWOW64\regini.exe | 38 |
| C:\Windows\SysWOW64\regini.exe | 40 |
Possible Misuse
The following table contains possible examples of regini.exe being misused. While regini.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_regini.yml | description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. |
DRL 1.0 |
| sigma | proc_creation_win_regini.yml | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml |
DRL 1.0 |
| sigma | proc_creation_win_regini.yml | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini |
DRL 1.0 |
| sigma | proc_creation_win_regini.yml | Image\|endswith: '\regini.exe' |
DRL 1.0 |
| sigma | proc_creation_win_regini_ads.yml | description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. |
DRL 1.0 |
| sigma | proc_creation_win_regini_ads.yml | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml |
DRL 1.0 |
| sigma | proc_creation_win_regini_ads.yml | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini |
DRL 1.0 |
| sigma | proc_creation_win_regini_ads.yml | Image\|endswith: '\regini.exe' |
DRL 1.0 |
| LOLBAS | Regini.yml | Name: Regini.exe |
|
| LOLBAS | Regini.yml | - Command: regini.exe newfile.txt:hidden.ini |
|
| LOLBAS | Regini.yml | - Path: C:\Windows\System32\regini.exe |
|
| LOLBAS | Regini.yml | - Path: C:\Windows\SysWOW64\regini.exe |
|
| LOLBAS | Regini.yml | - IOC: regini.exe reading from ADS |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
regini
Modifies the registry from the command line or a script, and applies changes that were preset in one or more text files. You can create, modify, or delete registry keys, in addition to modifying the permissions on the registry keys.
For details on the format and content of the text script file that regini.exe uses to make changes to the registry, see How to change registry values or permissions from a command line or a script.
Syntax
regini [-m \\machinename | -h hivefile hiveroot][-i n] [-o outputwidth][-b] textfiles...
Parameters
| Parameter | Description |
|---|---|
-m <\\computername> |
Specifies the remote computer name with a registry that is to be modified. Use the format \ComputerName. |
-h <hivefile hiveroot> |
Specifies the local registry hive to modify. You must specify the name of the hive file and the root of the hive in the format hivefile hiveroot. |
-i <n> |
Specifies the level of indentation to use to indicate the tree structure of registry keys in the command output. The regdmp.exe tool (which gets a registry key’s current permissions in binary format) uses indentation in multiples of four, so the default value is 4. |
-o <outputwidth> |
Specifies the width of the command output, in characters. If the output will appear in the command window, the default value is the width of the window. If the output is directed to a file, the default value is 240 characters. |
| -b | Specifies that regini.exe output is backward compatible with previous versions of regini.exe. |
| textfiles | Specifies the name of one or more text files that contain registry data. Any number of ANSI or Unicode text files can be listed. |
Remarks
The following guidelines apply primarily to the content of the text files that contain registry data that you apply by using regini.exe.
-
Use the semicolon as an end-of-line comment character. It must be the first non-blank character in a line.
-
Use the backslash to indicate continuation of a line. The command will ignore all characters from the backslash up to (but not including) the first non-blank character of the next line. If you include more than one space before the backslash, it is replaced by a single space.
-
Use hard-tab characters to control indentation. This indentation indicates the tree structure of the registry keys; however, these characters are converted to a single space regardless of their position.
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.