Process
registry
Registry is a minimal Windows process (introduced in Windows 10 1803) that holds registry hive data in memory on behalf of the kernel's Configuration Manager. It has no on-disk image and no command line, and is parented by System.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Analysis
Registry is a minimal process: a kernel-created process that owns an address space but runs no user-mode image. Before Windows 10 1803 the registry hives were kept in paged pool inside the kernel; moving them into a dedicated process gave the Configuration Manager its own working set, so hive data can be trimmed and managed like ordinary memory instead of pinning kernel pool.
Its identity is fixed by the kernel rather than by a file. It is created early in boot, before user-mode starts, runs as NT AUTHORITY\SYSTEM, and is parented by System (PID 4). The PID is assigned at boot and is not constant across reboots. Process Explorer and Task Manager list it, but neither shows an image path or command line, because no executable was ever mapped to start it. A sizable private working set is normal: it is the registry hives held in memory.
Windows ships no executable named Registry. The name is a candidate for masquerading (T1036.005), so a process named Registry with an on-disk image, a command line, or a parent other than System is not the kernel's registry process. Trailing spaces or look-alike spellings are a common variation.
- A process named Registry backed by an executable file on disk (there is no
Registry.exe) - A process named Registry with a command line
- A visible parent other than
System(PID 4) - Running as any account other than
NT AUTHORITY\SYSTEM
Telemetry
Not observed.
Not observed.