Process

unknown

reg.exe

reg.exe is the Console Registry Tool, the command-line program for reading and writing the Windows registry. It can query, add, delete, export, import, and save registry keys, on the local machine or a remote one. Administrators and scripts use it for configuration. Attackers use it for persistence, to dump credential hives, to find stored secrets, and to weaken security settings.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • reg export HKLM\SOFTWARE\Microsoft\Evilreg {PATH_ABSOLUTE}:evilreg.regADS · Hide/plant registry information in Alternate data stream for later use
  • reg save HKLM\SECURITY {PATH_ABSOLUTE:.1.bak} && reg save HKLM\SYSTEM {PATH_ABSOLUTE:.2.bak} && reg save HKLM\SAM {PATH_ABSOLUTE:.3.bak}Credentials · Dump credentials from the Security Account Manager (SAM)

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

reg.exe reads and modifies the Windows registry from the command line. Its main verbs are reg query, reg add, reg delete, reg export and reg import for text .reg files, and reg save and reg load for binary hive files. Several operations can act on a remote machine by prefixing a host, as in reg query \\host\HKLM\.... The genuine binary lives at C:\Windows\System32\reg.exe.

Legitimately, reg is run constantly by installers, scripts, and administrators to read and set configuration, so the process is unremarkable. The key it touches and whether it is reading or writing, both on the command line, are what give an instance meaning.

Security notes

reg.exe is a common persistence tool (T1547.001). Writing to a Run key, under HKCU or HKLM ...\CurrentVersion\Run, or to another autostart point makes a program launch at logon or boot. Anything added to Run, to the Winlogon Shell or Userinit values, or similar startup locations that points to a script host or a user-writable binary is suspect.

It is also a route to local credentials (T1003.002). reg save HKLM\SAM and reg save HKLM\SYSTEM export the hive files that hold local account password hashes and the boot key needed to decrypt them, and HKLM\SECURITY holds LSA secrets. Saving any of these and moving the files off the host is a recognizable credential-theft step. reg also harvests secrets that applications leave in the registry, such as autologon passwords (T1552.002).

Beyond that, reg supports both reconnaissance and defense evasion. reg query enumerates installed software, configuration, and stored credentials (T1012), while reg add and reg delete flip security-relevant settings off, disabling Defender features or UAC, for example (T1112). Because reg is a normal administrative tool, the key path, the direction, the parent, and any remote target are what separate configuration from abuse.

Anomaly signals7
  • Image path other than C:\Windows\System32\reg.exehigh
  • reg save of HKLM\SAM, HKLM\SYSTEM, or HKLM\SECURITYhigh
  • reg add to a Run key or another autostart locationhigh
  • reg add or reg delete changing security settings (Defender, UAC)high
  • Parent is an Office application, a script host, or an unfamiliar processhigh
  • reg query of known credential-storage keys (autologon, stored passwords)med
  • A remote target, \\host\ on the command linemed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof reg.exe?
Edit this page on GitHub