Just so we are all in the same page I will explain what the registry is, the registry allows the operating system and the applications that reside in it to have a centralized point to store their configuration. A few examples of things we will find here are: user accounts, windows services and auto-start programs, application settings, etc.

Registry structure

The registry is divided in these so called “hive keys”, these keys are backed up by actual files on disk stored in binary format, you can find them in the following path:

%systemroot%\system32\config

They are, in descending file size: SOFTWARE, SYSTEM, SOFTWARE, SAM. And also the ntuser.dat files, one for every user, stored in their user profile.

When the system is running these files are mapped into the actual keys.

HKLM – HKEY Local Machine (software, system, sam, security)

HKCU – HKEY Current User (ntuser.dat)

HKCR – HKEY Classes root

Registry tools

To work with the registry we have a few tools at our disposal, one of the most common ones being regedit.exe. One of the issues with regedit is that it doesn’t offer many features and it can be tedious to find a certain key or do any kind of batch operation.

Meet nirsoft’s RegScanner, this tool while not offering editing capabilities is excellent for searching the registry, since it offers a lot of options to do so and it will present us with a list of the results instead of having to step through each result.

In addition we also have the option of navigating the registry via the command-line. Using the reg.exe utility, which is included with most windows installs (if not all). This tool will allow us to do pretty much any operation we need, from updating keys to exporting entire hive keys. We see the different operations available if we call reg /?.

Example command using the reg.exe utility:

reg query HKLM\SYSTEM\CurrentControlSet\services

That’s just a small taste of the windows registry. I hope you enjoyed it!

The post An introduction to the Windows registry appeared first on Black Bytes.

To get us started the first thing is to list the available services. We can do this using the sc query command, since it will spit out a lot of information we may want to pipe it through more or dump it into a file.

sc query | more

Every service has an internal name (you want to use this for the other commands), a display name and a status, the rest aren’t very useful for us. If we want to get some extra info about a specific service like its binary file and dependencies, you can use the following command:

sc qc <service name>

If you want to stop this service you can use ‘stop’ and to start it again ‘start’, very easy, isn’t it?
sc stop <service name>

Creating a new service

Now comes the tricky part, to create a new service you use the ‘create’ option. The thing is that you have to give the parameters in the correct format for it to work, here is an example, notice the space between the ‘=’ and the value.

sc create test binpath= notepad.exe

Also you need to know that if the binary you are using for this isn’t prepared to work as a service Windows will kill it in about 30 seconds, because it’s expecting a signal to say that it started correctly. Microsoft provides a program called “SrvAny” available in the “Windows Server Resource Kit” which will help you run any application as a service, check this link for more details

Finally, for modifying a service that already exist you can use “config” which takes in the same parameters from “create”.

Please leave a comment if you have any suggestions, also share the post if you found it useful!

The post The Windows Commandline: Services appeared first on Black Bytes.