Saturday, October 15, 2016

MS16-124 Security Update for Windows Registry (3193227) - Decoding Registry SID areas

According to MS security bulletin Security Update for Windows Registry (3193227) released Oct 11, 2016

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerabilities by correcting how the kernel API restricts access to this information.
For more information about the vulnerabilities, see the Vulnerability Information section. For more information about this update, see Microsoft Knowledge Base Article 3193227.


Some of the security and core system related keys are hidden from user even when part of an administrator group cannot see these special keys.

Here are some of the such hidden registry keys


SECURITY registry key stores all the system policy and LSA secrets related information.  SAM registry key has details for user accounts along with LM/NTLM password hashes for each user.

There are many ways we can view these hidden registry keys. We can use psexec.exe tool (part of pstools package from sysinternals) to launch the regedit.exe as system account as shown below.

psexec.exe -s -i regedit.exe


RegtoText is a command line utility that converts a Windows Registry exported file (.reg) into a human readable text (.txt) file. Hex numbers are converted into ASCII characters when possible. Conversion can be challenging since registry key can accept any binary format, so heuristic and probabilistic methods are used to decode values when possible to ASCII.

This tool target as forensic (FBI,CIA, Antivirus Co)/management/educational tool to quickly search and eyeball the entire registry file for encoded values that are suspicious. Registry keys could hold persistant malware signatures (like Poweliks), back-doors or simply hidden secret messages. Most commonly, keys contain   foreign languages encodings that can be spotted more efficiently with human eyes. Furthermore, once this file is decoded using RegtoText, it is searchable as a human readable text file and can be indexed in any internal forensic exploit search engine/database.

Get it RegtoText now!

No comments:

Post a Comment