Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g

Cyb3rWard0g/seatbelt_registry_basic_exploration.txt

Last active November 2, 2020 20:03
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Cyb3rWard0g/028805262130f4ac5ac2de73625dfb12 to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/028805262130f4ac5ac2de73625dfb12 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
seatbelt_registry_basic_exploration.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", ""
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs"
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"
Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"
Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "UpdateServiceUrlAlternate"
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUStatusServer"
SOFTWARE\Microsoft\CCMSetup", "LastValidMP"
SOFTWARE\Microsoft\SMS\Mobile Client", "AssignedSiteCode"
SOFTWARE\Microsoft\SMS\Mobile Client", "ProductVersion"
SOFTWARE\Microsoft\SMS\Mobile Client", "LastSuccessfulInstallParams"
Software\\SimonTatham\\PuTTY\\Sessions\\"
Software\\SimonTatham\\PuTTY\\Sessions\\{sessionName}"
Software\\SimonTatham\\PuTTY\\SshHostKeys\\"
Software\\Microsoft\\Office"
Software\\Microsoft\\Office\\{version}"
SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "HashingAlgorithm"
SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Options"
SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Rules"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
SOFTWARE\Microsoft\AMSI\Providers"
SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""
Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"
Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID"
Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId"
Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch"
Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber"
Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion"
Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber"
Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR"
SOFTWARE\\Microsoft\\Cryptography", "MachineGuid"
SYSTEM\\CurrentControlSet\\Control\\Lsa"
SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"
SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"
SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\"
SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\" + key, "SemanticVersion"
SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "EnableTranscripting") == "1"
SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "EnableInvocationHeader") == "1"
SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "OutputDirectory"
SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging", "EnableModuleLogging") == "1"
SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames"
SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", "EnableScriptBlockLogging") == "1"
SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"
SYSTEM\\CurrentControlSet\\Services\\{serviceName}\\Parameters", "ServiceDll"
SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ServiceDll"
SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ImagePath"
SYSTEM\\ControlSet001\\Control\\Windows", "ShutdownTime"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"
Software\\Microsoft\\Terminal Server Client\\Servers"
Software\\Microsoft\\Terminal Server Client\\Servers\\{host}", "UsernameHint"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "ProfileName"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Description"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Category"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "NameType"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Managed"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "DateCreated"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "DateCreated"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName"
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword"
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "ConsentPromptBehaviorAdmin"
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA"
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "LocalAccountTokenFilterPolicy"
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "FilterAdministratorToken"
SOFTWARE\Microsoft\Windows Defender\"
SOFTWARE\Policies\Microsoft\Windows Defender\"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService"
SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService"
SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\{plugin}", "ConfigXML"
Software\\Policies\\Microsoft\\Windows\\SrpV2"
Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode"
Software\\Policies\\Microsoft\\Windows\\SrpV2\\"
Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value"
SOFTWARE\Microsoft\AMSI\Providers"
SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""
Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager"
Software\Policies\Microsoft\Windows\CredentialsDelegation"
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "AuthenticationLevel"
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{extension}"
System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel"
System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature"
System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature"
System\CurrentControlSet\Services\LanManServer\Parameters", "RequireSecuritySignature"
System\CurrentControlSet\Services\LanManServer\Parameters", "EnableSecuritySignature"
System\CurrentControlSet\Control\LSA", "SuppressExtendedProtection"
System\CurrentControlSet\Services\LDAP", "LDAPClientIntegrity"
System\CurrentControlSet\Services\NTDS\Parameters", "LDAPServerIntegrity"
System\CurrentControlSet\Services\NTDS\Parameters", "LdapEnforceChannelBinding"
SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinClientSec"
SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinServerSec"
System\CurrentControlSet\Services\Netlogon\Parameters", "RestrictNTLMInDomain"
System\CurrentControlSet\Services\Netlogon\Parameters", "DCAllowedNTLMServers"
System\CurrentControlSet\Services\Netlogon\Parameters", "AuditNTLMInDomain"
System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictReceivingNTLMTraffic"
System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictSendingNTLMTraffic"
System\CurrentControlSet\Control\Lsa\MSV1_0", "AuditReceivingNTLMTraffic"
System\CurrentControlSet\Control\Lsa\MSV1_0", "ClientAllowedNTLMServers"
Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit"
SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5", "Version"
SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full", "Version"
SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy"
SOFTWARE\Policies\Microsoft\WindowsFirewall", @"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment