Basics of Windows Registry

There are many things that will scare a system administrator, and one of those things is messing with the Registry. In this article, I will explain what Windows Registry is, how it works, what Hives are, and the specific groups of keys. 

Windows Registry is a hierarchical database that stores configuration information for the Windows Operating System to run properly. It stores virtually everything from user passwords, device driver information, to application settings and everything else in between. 

In Windows, the highest level of the hierarchy is known as a Hive. In other words, a Hive is a logical grouping of keys., subkeys, and values in the Registry. Keys look like folders and are used for organizational folders. 

Hives are grouped by like settings. For instance, HKEY_USERS has settings that impact all users, while HKEY_CURRENT_USER has settings that impact only the current logged-in user. But let's go through each hive and explain what they do. 

HKEY_CLASSES_ROOT

• This is commonly abbreviated as HKCR. 
  
  
• It holds configuration data for Visual Basic (VB) programs and COM objects. 
  
  
• Data in HKEY_CLASSES_ROOT comes from 2 different sources. 
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes
  
  
• HKEY_CURRENT_USER\SOFTWARE\Classes
  
  
• If there is a subkey created in either location, it also gets created in HKCR automatically. 

HKEY_CURRENT_USER

• This is commonly abbreviated as HKCU. 
  
  
• This area of the Registry changes depending on who the actual logged-in user is. 
  
  
• Every time a user logs in, this is re-created based on the information stored in the user's NTUSER.DAT file. 
  
  
• If the user has never logged in before, then this is created from the default user NTUSER.DAT file, which is stored at C:\Users\Default\Ntuser.dat
  
  
• HKCU does not actually store data, but rather, it contains a pointer to the user's actual data, which is housed under HKEY_USERS. 
  
  
• Each user is assigned a security identifier (SID), and each user has a key with his SID where his data is stored in HKEY_USERS. 

HKEY_LOCAL_MACHINE

• This is commonly abbreviated to HKLM. 
  
  
• This is a treasure trove of information! This includes information on hardware, operating system, security, drivers, and startup parameters. 
• Hardware: Stores information about hardware that the system has detected. 
  
  
• SAM: SAM stands for Security Accounts Manager. This stores user and group information. Don't ever edit this key directly. If you do, you may block users from being able to log on.  If you need to change information in this key, use Active Directory. 
  
  
• Security: Contains security information that is needed by the system and by the network. Don't ever edit this key directly, instead, use Group Policy, Local Security Policy, and Active Directory. 
  
  
• Software: The Software subkey stores subkeys for each software program you install, sorted by each vendor. It also contains program variables that may be needed to launch or work with the application. 
  
  
• System: The System key stores subkeys related to control sets. This includes the current control set and the control set that have been used at some point in time. 

HKEY_USERS

• This is commonly abbreviated as HKU. 
  
  
• This contains user-specific settings for each user that logged on to the system. 
  
  
• Each user is represented by his SID, which is unique to each user.
  
  
• The SID for the default user is just .DEFAULT, while the others have numeral representation.
• S-1-5-18: Local System
  
  
• S-1-5-19: NT Authority-Local Service
  
  
• S-1-5-20: NT Authority-Network Service
  
  
• A longer SID with a 500 at the end of it is an administrator account. 
  
  

HKEY_CURRENT_CONFIG

• This is commonly abbreviated as HKCC. 
  
  
• It is similar to HKEY_CURRENT_USER in that it doesn't actually store data, but it stores pointers to the data. 
  
  
• HKCC has the configuration data pulled from the current hardware profile. 
  
  
• The pointer it actually stores points sto HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current

There may be a time when you want to compare the settings of a user or a machine. This ability to load a hive gives you this ability. You can only use the Load Hive and Unload Hive commands when you have HKEY_LOCAL_MACHINE or HKEY_USERS selected. With any of the other hives selected, the options will be greyed out.

Basics of Active Directory: Logical Topology

Active Directory is a directory service that allows you to manage all elements of your network. This would include computers, groups, users, domains, security policies, and any type of user-defined objects. This is a great tool to utilize when you need to maintain your IT assets. For this to be possible, Active Directory has a logical structure it follows with hierarchical groups for administrators to provide better oversight. 

One great aspect of Active Directory is that it is built around DNS (Domain Name System) and LDAP (Lightweight Directory Access Protocol). It uses DNS because it is the standard protocol for allowing to match human-readable web addresses to their respective IP addresses.  It uses LDAP to locate and access any type of resource on the network. Because LDAP and DNS are platform-independent protocols, Unix, Macintosh, and other clients can access resources in the same fashion as Windows clients.

When we look at the logical structure of Active Directory, there are 4 principal areas:

1. Domain
2. Organizational Unit
3. Trees
4. Forests

Before we dive into these principal areas, we need to understand what objects are. 

An object is the basic element of Active Directory that represents something on the network, such as a user, a group, a computer, an application, a printer, or a shared folder.

Each object will also have their own attributes. For example, the user object will have attributes like:

• First Name
• Last Name
• Email

Organizational Unit (OU):

• This is a container within a domain which can hold objects like users, computers, and groups. 
• OUs can have other OUs within them. 
• This is the smallest unit an administrator can assign group policy settings to. 
• We can organize users, computers, etc. by location, departments, etc. 
• OUs are different from AD Groups. 
• OUs are used for managing PCs and accounts, such as login screen, toolbar, password requirements, etc. 
• AD Groups are used for managing permissions on files.

Domain:

• This is a logical group of objects that share common administration, security and replication settings.
• This is important because you may not want the sales team to have access to resources to the engineering team.
• IT Teams can define administrative boundaries and manage sets of devices, services, and systems in a centralized manner. 
• Generally, a domain also encompasses a physical space like an office or multiple offices.
• Domains group network objects and OUs into a unit with a security boundary.
• You also have a Domain Controller, which is a server that manages network and identity security, and user authentication for IT resources within a domain.

Trees:

• A tree is a collection of sub-domains that share a DNS namespace.
• Trees consists of multiple domains connected by transitive trusts. 
• Each domain in a tree shares a common schema and global catalog.
• Global Catalog (GC) allows for users and applications to find objects in an Active Directory Tree. 
• Schema is just a list of definitions that determines what objects can be stored. 
• For example, you may have a domain of "company.com". 
• Then, have a sub-domain called "hr.company.com" and "sales.company.com". 
• Clearly, this is a tree--a collection of sub-domains that share a DNS namespace of "company.com". 
• The subdomains would be "hr" and "sales". 

Forests:

• Highest level on the hierarchical structure of Active Directory
• These are groups of Domain Trees. 
• Each forest shares a single database, a single global address list and a security boundary

Basics of Active Directory Permissions: Replicating Directory Changes All

One of the most important permissions that one can give a user in Active Directory is the "Replicating Directory Changes All". This is an important permission because not only does this give us a better understand of how Active Directory works, but it can also help prevent against a common Active Directory Attack known as a DCSync Attack. 

Before we talk about this permission, I think a great place to start is how Active Directory handles high availability and redundancy. Active Directory High Availability is not based on failover clustering, like Hyper-V, or log shipping, like SQL Server. Instead, it is based on the idea that Domain Controllers all offer the Active Directory Database to whoever needs it. 

When you deploy at least 2 Domain Controllers for an Active Directory Domain, you gain redundancy and high availability by default for that domain. Because of this, these controllers need to be in sync. So, Active Directory uses the concept of "Replication" for this to happen. 

What is Replication? Essentially, this means any changes that happen to one controller are also made on any other controller within that domain. There are two types of replications. 

1. Intrasite Replication
2. Intersite Replication

Intrasite Replication:

• Within an Active Directory site, replication is based on pull replication. So, after being notified of changes, a Domain Controller will ask the Domain Controller with the changes what changes have been seen. 
• This is set automatically on default. 
• This is for Domain Controllers of a same site.
• This is focused on making sure changes are rapidly distributes

Intersite Replication:

• Between Active Directory Sites, replication is schedule-based and between bridgehead servers.
• After the default schedule time-out, the Bridgehead Domain Controller for a site asks the Bridgehead DC in the other site for the changes it has seen. 
• This is for Domain Controllers across different sites.

So, the "Replicating Directory Changes All" permission enables a user to query for changes in the directory, discover Active Directory Objects, including credentials, such as hashed passwords. 

This is the elevated permission of "Replicating Directory Changes", which would only allow for the discovery of Active Directory Changes, and you would only be able to see very specific information. 

If a user in Active Directory has "Replicate Directory Changes All" permission, this will grant that user the permission to discover Active Directory objects. One example of this is User Account Objects. Inside of this object, you can also get the NLTM hashed passwords. If an adversary has this, they are able to pass that hashed password into a Pass-The-Hash Attack to retrieve the actual password. Also, the adversary is able to do this as many times as they want. Even more damage can be done if the account that has been compromised has admin privileges who is not an admin. 

This is why it is important to be very specific and careful to who you give these permissions to. It should only be on a need-to-know and need-to-have basis. 

TPM: What Is It and How Does It Work?

Before Windows 11 was released, few paid attention to TPM or even knew what it was. So, I thought I would share some knowledge and explain what it is.

TPM stands for Trusted Platform Module. It is also known as ISO/IEC 11889. This is a specification for hardware-based storage of digital certificates, cryptographic keys, and hashed passwords. Essentially, TPM established a root of trust.

TPM is usually a dedicated chip on a motherboard. Each TPM micro-processor is hard coded with a unique key, known as the "endorsement key". This is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. During the boot process, the TPM compares hashes of key system state data (system firmware, boot loader, and OS kernel) to ensure they have not been tampered with.

TPM has what is known as "anti-hammering protection". This is designed to protect against brute force attacks or complex dictionary attacks. When too many authorization failures occur, a global lockout is initiated. However, it is important to note that TPM is designed to forget after a period of time. This anti-hammering protection is implemented by the manufacturer and the logic varies. This version of TPM is 1.2

Now, you have TPM 2.0. The difference between this version and 1.2 is that 2.0 has well-defined anti-hammer protection. For example, TPM is configured by Windows to lock after 32 authorization failures and forget 1 every 10 minutes. In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. With BitLocker, the encryption keys can be stored in TPM.

Another huge difference between TPM 1.2 and 2.0 is which algorithms are required for hashing.

TPM 1.2

• SHA 1 - Required
• RSA - Required
• AES - Optional

TPM 2.0

• SHA 1 - Required
• SHA 256 - Required

Another big difference is that Windows Defender System Guard, Autopilot, and SecureBIO are available only with TPM 2.0. 

So, in a nutshell, Windows 11 requires TPM 2.0 because it raised its security baseline.

The Case for HDDs: Faster is Not Always Better

Nearly every article you come across mentions how Solid-State Drives (SSDs) are better than Hard-Disk Drives (HDDs). This is often illustrated by comparing the access time, random I/O speed, reliability, energy savings, etc. However, just like every technology, you have to compare the use cases and what problem is helps you solve. 

Many data centers and servers still use HDDs over SSDs. So, what gives? If SSDs are so great and fast, why still use HDDs? I'll explain why. 

The first reason is that HDDs are less expensive than SSDs and offer more storage capacity. If you were to go to any online store, like Newegg, this difference in costs is astronomical. 

• A Samsung 870 EVO Series 2 TB SSD will cost $99.99. 
• A Seagate Barracuda 8 TB HDD will cost $139.50. 

So, for x4 more the storage, you pay an extra $40 with an HDD than an SSD. 

This is important because when we are dealing with servers and data centers, we are primarily interested in the most data storage capacity for the lowest cost. 

One specific example of this is Facebook. Their data centers require 100,000 TB drives per data center, and they have 7 data centers. So, that is a total of 700,000 TBs. It is more cost efficient to invest in HDDs than it is for SSDs. Also, let's remember, you are interested in permanent data storage, not access time, or random I/O speed.

The second reason is that data recovery is easier with HDDs than SSDs. One feature of SSDs that isn't talked about is TRIM. 

TRIM is a command for the ATA interface and many SSDs have this enabled by default or automatically. Essentially, every time a file is deleted, a rewrite of the block to 0 is followed. SSDs cannot just overwrite data in a cell like HDD. It needs to erase the cell first, before writing to it again. However, with HDD's, the pointer to that data is deleted and marked for overwriting, but it is still there. This makes data recovery so much easier with HDDs than SSDs. 

Another aspect of this is knowing when your drive will fail. Since, HDDs are mechanical and have moving parts, there are signs that indicate they are starting to fail and need to be replaced. This sign will be a clicking sound. However, with SSDs, there are no moving parts, so you don't know when it will fail, until it happens. 

The third reason is that SSDs degrade over time, the more write operations you do. This means that the lifespan of an SSD is limited. However, with HDDs that is not the case. Their lifespan is directly related to the wear and tear of the mechanical parts. 

Fundamentals of Spanning Tree Protocol (STP)

In the early days of computer networking, there was a big problem when developing network topologies. This problem was known as switching loops. Essentially, this is when there is more than 1 layer two device connected to two endpoints. This is a big problem and leads to broadcast storms, which in turn, can bring down an entire network. Also, since there is no TTL (Time to Live) in a Layer 2 Frame, the loop can continue forever. 

To solve this problem, a new protocol was invented, and it was called the Spanning Tree Protocol. Before we dive into how STP works, let's take a look at an illustration of a basic network topology. 

In this illustration, we have three layer 2 devices, specifically switches. These are SW1, SW2, and SW3. Also, we have two PCs in this network as well. These are PC-A and PC-B. We also see where this switching loop would come from. It is SW3, SW2, and SW1. We see that each switch has more than 1 endpoint that it is connected to SW1 is connected to SW2 and SW3. SW2 is connected to SW1 and SW3. Finally, SW3 is connected to SW1 and SW2. Because of this configuration, the network would be brought down fairly quickly via a broadcast storm.  

So, how does STP solve this issue? That is a loaded question, but let's dive right into it! 

Nowadays, modern switches have STP enabled by default, and this allows for the switch to detect any potential loops before they actually happen. 

Switches use a special STP frame known as BPDU (Bridge Protocol Data Unit). BPDU stores all important information about the PC, such as the Switch Port ID and the MAC Address. 

There are 2 types of BPDU's:

• Configuration BPDU
• TCN (Topology Change Notification) BPDU

Configuration BPDU's establish the network topology, and one switch is elected as the root bridge. This Root Bridge acts as the reference and center of the topology. Essentially, this switch is the one making the calls. Nothing happens without him. By having the Root Bridge as a reference, this establishes a loop-free topology. 

Of course, when your network expands to hundreds or even thousands of nodes, you will have redundant links for fault tolerance. Without STP, this would cause a switching loop. However, now, certain ports will be placed in a "blocking" state. This means that it will not send or receive any frames. It is on standby. 

Now, it is important to remember that a port in the blocking state will still hear Configuration BPDU's, which are sourced by the Root Bridge and forwarded downstream to the other switches every 2 seconds. 

If a link or device goes down, STP steps in with another BPDU. This is called the TCP (Topology Change Notification) BPDU. The TCN BPDU will enable the switches to rework themselves. So, the ports in the blocked state are now changed into the forwarding state. 

Now, it is important to remember, and I am emphasizing this, a switch port connected directly to a PC should NEVER participate in STP. However, it can and should be configured with a setting called PortFast. This enables the interface to come up right away without normal latency introduced by STP. Also, PortFast prevents TCN BPDU's from being sent out every time a PC is turned on or off. This has severe consequences such as making the switches flush their address table and relearning the MAC Address Table. 

There is another important feature of STP known as BPDU Guards. A BPDU Guard will move a port configured with PortFast into a shutdown state known as ERR-DISABLED state (error occurred, disabled) if a BPDU is received on that port. So, in a simpler term, if a BPDU is received on that port, that port will be shut down. 

There is another feature of STP known as Root Guards. Essentially, this is a security feature that prevents a non-root port from becoming the root port or the root bridge. This is helpful because it prevents an STP Topology Attack of replacing the root bridge with a rogue root bridge. If a non-root port tries to become the root port, the Root Guard will move the non-root port into a root-inconsistent (blocked) state.