Forked from Cyb3rWard0g/seatbelt_registry_basic_exploration.txt
Created
August 19, 2020 05:58
-
-
Save sasqwatch/e27e0d000564c3d93117c27c68feb301 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs" | |
| SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength" | |
| Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "UpdateServiceUrlAlternate" | |
| SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUStatusServer" | |
| SOFTWARE\Microsoft\CCMSetup", "LastValidMP" | |
| SOFTWARE\Microsoft\SMS\Mobile Client", "AssignedSiteCode" | |
| SOFTWARE\Microsoft\SMS\Mobile Client", "ProductVersion" | |
| SOFTWARE\Microsoft\SMS\Mobile Client", "LastSuccessfulInstallParams" | |
| Software\\SimonTatham\\PuTTY\\Sessions\\" | |
| Software\\SimonTatham\\PuTTY\\Sessions\\{sessionName}" | |
| Software\\SimonTatham\\PuTTY\\SshHostKeys\\" | |
| Software\\Microsoft\\Office" | |
| Software\\Microsoft\\Office\\{version}" | |
| SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "HashingAlgorithm" | |
| SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Options" | |
| SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters", "Rules" | |
| SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" | |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" | |
| SOFTWARE\Microsoft\AMSI\Providers" | |
| SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", "" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber" | |
| Software\\Microsoft\\Windows NT\\CurrentVersion", "UBR" | |
| SOFTWARE\\Microsoft\\Cryptography", "MachineGuid" | |
| SYSTEM\\CurrentControlSet\\Control\\Lsa" | |
| SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion" | |
| SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion" | |
| SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\" | |
| SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\" + key, "SemanticVersion" | |
| SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "EnableTranscripting") == "1" | |
| SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "EnableInvocationHeader") == "1" | |
| SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", "OutputDirectory" | |
| SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging", "EnableModuleLogging") == "1" | |
| SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" | |
| SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", "EnableScriptBlockLogging") == "1" | |
| SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" | |
| SYSTEM\\CurrentControlSet\\Services\\{serviceName}\\Parameters", "ServiceDll" | |
| SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ServiceDll" | |
| SYSTEM\\CurrentControlSet\\Services\\{serviceName}", "ImagePath" | |
| SYSTEM\\ControlSet001\\Control\\Windows", "ShutdownTime" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" | |
| Software\\Microsoft\\Terminal Server Client\\Servers" | |
| Software\\Microsoft\\Terminal Server Client\\Servers\\{host}", "UsernameHint" | |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "ProfileName" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Description" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Category" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "NameType" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "Managed" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "DateCreated" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\{profileGUID}", "DateCreated" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName" | |
| SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword" | |
| Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" | |
| Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "ConsentPromptBehaviorAdmin" | |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "LocalAccountTokenFilterPolicy" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "FilterAdministratorToken" | |
| SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" | |
| SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes" | |
| SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" | |
| SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" | |
| SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" | |
| SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService" | |
| SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" | |
| SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN\\Plugin\\{plugin}", "ConfigXML" | |
| Software\\Policies\\Microsoft\\Windows\\SrpV2" | |
| Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode" | |
| Software\\Policies\\Microsoft\\Windows\\SrpV2\\" | |
| Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value" | |
| SOFTWARE\Microsoft\AMSI\Providers" | |
| SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", "" | |
| Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager" | |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History" | |
| SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{extension}" | |
| System\CurrentControlSet\Control\Lsa", "LmCompatibilityLevel" | |
| System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "RequireSecuritySignature" | |
| System\CurrentControlSet\Services\LanmanWorkstation\Parameters", "EnableSecuritySignature" | |
| System\CurrentControlSet\Services\LanManServer\Parameters", "RequireSecuritySignature" | |
| System\CurrentControlSet\Services\LanManServer\Parameters", "EnableSecuritySignature" | |
| System\CurrentControlSet\Control\LSA", "SuppressExtendedProtection" | |
| System\CurrentControlSet\Services\LDAP", "LDAPClientIntegrity" | |
| System\CurrentControlSet\Services\NTDS\Parameters", "LDAPServerIntegrity" | |
| System\CurrentControlSet\Services\NTDS\Parameters", "LdapEnforceChannelBinding" | |
| SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinClientSec" | |
| SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0", "NtlmMinServerSec" | |
| System\CurrentControlSet\Services\Netlogon\Parameters", "RestrictNTLMInDomain" | |
| System\CurrentControlSet\Services\Netlogon\Parameters", "DCAllowedNTLMServers" | |
| System\CurrentControlSet\Services\Netlogon\Parameters", "AuditNTLMInDomain" | |
| System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictReceivingNTLMTraffic" | |
| System\CurrentControlSet\Control\Lsa\MSV1_0", "RestrictSendingNTLMTraffic" | |
| System\CurrentControlSet\Control\Lsa\MSV1_0", "AuditReceivingNTLMTraffic" | |
| System\CurrentControlSet\Control\Lsa\MSV1_0", "ClientAllowedNTLMServers" | |
| Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit" | |
| SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5", "Version" | |
| SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full", "Version" | |
| SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy" | |
| SOFTWARE\Policies\Microsoft\WindowsFirewall", @"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment