Tha Sneak

𝓜𝓡𝓣-𝓧 𝓞𝔀𝓷𝓮𝓻/𝓣𝓮𝓪𝓬𝓱𝓮𝓻

MRT-X Malware Malware Removal Malware Removal Team Windows Windows Registry Registry Guide

[MRT-X] Understanding the Windows Registry

Posted Mar 21, 2025 09:37 AM

See this thread for a more in-depth guide to the Windows Registry: https://hackforums.net/showthread.php?tid=5768154

Understanding the Windows Registry and Malware-Related Modifications

1. Introduction
Print this page or save it for future reference.

The Windows Registry is a database containing information on how your computer operates. The Registry Editor (regedit.exe) is a tool for advanced users to view or modify settings stored in the Registry.

In malware removal, understanding how to edit the Registry is essential.

Normally, Registry editing is not required, but malware often modifies the Registry to make removal difficult. This can prevent users from controlling their system properly.

Before making any changes to the Registry, always back up the affected key/value.

2. Understanding Registry Structure

The Windows Registry consists of three main parts:

A. Hives
Hives are root sections that store all Registry data. The five primary hives are:

HKEY_CURRENT_USER (HKCU) – Stores user-specific settings.
HKEY_LOCAL_MACHINE (HKLM) – Stores system-wide settings.
HKEY_CLASSES_ROOT (HKCR) – Manages file type associations.
HKEY_USERS (HKU) – Stores data for all users.
HKEY_CURRENT_CONFIG (HKCC) – Stores hardware and system settings.

B. Keys
Registry keys are like folders that store values. Important keys include:

CLSID keys – Identify software components.
File extension keys – Associate file types with programs.
Data keys – Store configuration data for applications.

C. Values
There are six main types of Registry values:

DWORD (32-bit) – Used for storing numerical data.
QWORD (64-bit) – Similar to DWORD, but for 64-bit OS.
String Value (REG_SZ) – Stores text data.
Multi-String Value (REG_MULTI_SZ) – Stores multiple text entries.
Expandable String Value (REG_EXPAND_SZ) – Text values that reference system variables.
Binary Value (REG_BINARY) – Stores raw binary data.

3. Editing the Registry

A. Deleting a Registry Key
To delete a Registry key, use this format:

Code 
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\VolumeControlPro]

The minus (-) sign inside brackets [-HKEY...] indicates deletion. Only the VolumeControlPro key is remove

B. Adding a Registry Key
To add a new Registry key:

Code 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Reversal]

This will create the Reversal key under RUN.

C. Deleting a Registry Value
To delete a Registry value:

Code 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Reversal]

"LookAtMe"=-

The minus sign (`-`) after the equal sign removes the value LookAtMe.

D. Modifying a Registry Value
To modify a value:

Code 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Reversal]

"LookAtMe"="2634645"

This updates LookAtMe with the new value 2634645.

E. Adding a Registry Value
To add a new value:

Code 
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Reversal]

"LookAtMe"="2634645"

"NEWvalue"="1928374"

This adds a new entry NEWvalue.

4. Correct Structure of a Registry File (*.reg)

A properly formatted Registry file must contain:

Code 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Reversal]

"LookAtMe"="2634645"

"NEWvalue"="1928374"

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\VolumeControlPro]

The first line must always be:
Windows Registry Editor Version 5.00
For older Windows versions, REGEDIT4 may be required.

To modify the default value of a key:

Code 
@="hello"

To reset the default value:

Code 
@=0

5. Backing Up Registry Keys

To back up a key:

Open Registry Editor (regedit).
Select the key to back up.
Click File > Export.
Choose a save location and name the file.
Click Save.

6. Preventive Measures Before Editing

Before making changes:

Create a System Restore Point (Win + R > rstrui.exe).
Use FRST for backing up the registry.

7. Are Registry Cleaners Necessary?

From Microsoft:

Quote:"Some products available for free on the Internet suggest the registry needs regular maintenance or cleaning. Although a registry setting can become corrupt on occasion, in general, the registry is self-sufficient."

Source: mshelp://Windows/?id=449a5c7d-f9f9-4392-800c-83503145889f

Microsoft recommends only modifying values you understand and backing up before making changes.

8. Using HijackThis for Registry Editing

Certain malware infections require Registry modifications for removal.

Example HijackThis log entry:

Code 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.freeze.com

To fix this manually:

Code 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"

9. Fixing Malware-Induced Registry Restrictions

A. Re-enabling Registry Access
If malware disables the Registry, restore access with:

Code 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableRegistryTools"=-

B. Fixing User Account Control (UAC) Hijacking
Malware can modify UAC settings to block administrative actions.

Restore normal UAC behavior:

Code 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"ConsentPromptBehaviorAdmin"=0x00000001

C. Re-enabling Task Manager
If Task Manager is disabled, restore it:

Code 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=dword:00000000

D. Restoring Internet Explorer’s Home Page
Malware can lock browser settings. Restore default homepage:

Code 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://www.msn.com"

Login
Username/Email:
Password:	Lost Password?
	Remember me