Reference / Registry keys monitored
Registry keys monitored
The Reg Monitor tab shows changes between Snapshot 1 and Snapshot 2 across a curated set of registry locations chosen for their persistence and code-injection relevance. Three modes of monitoring are used:
- Enum values — every value name under the key is recorded. New values appear in the diff.
- Enum keys — every direct sub-key is recorded. New sub-keys appear in the diff.
- Single value — one specific value's data is recorded. Changes to that data appear in the diff.
HKEY_CURRENT_USER
| Mode | Path | Purpose |
|---|
| values | \Software\Microsoft\Windows\CurrentVersion\Run | User-scope autorun on logon. |
| values | \Software\Microsoft\Windows\CurrentVersion\RunOnce | User-scope one-shot autorun. |
| keys | \SOFTWARE\Microsoft\Active Setup\Installed Components | Per-user component installation hook. |
| keys | \Software\Classes | User-scope COM and file-association hijacks (e.g. Kovter). |
| single value | \Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell | User-scope shell override (e.g. Nymaim). |
HKEY_LOCAL_MACHINE
Autorun
| Mode | Path |
|---|
| values | \Software\Microsoft\Windows\CurrentVersion\Run |
| values | \Software\Microsoft\Windows\CurrentVersion\RunOnce |
| values | \Software\Microsoft\Windows\CurrentVersion\RunServices |
| values | \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
Services and drivers
| Mode | Path |
|---|
| keys | \SYSTEM\CurrentControlSet\Services |
Image File Execution Options (debugger hijack)
| Mode | Path |
|---|
| keys | \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
New sub-keys here are how malware redirects benign programs to itself: IFEO\notepad.exe -> Debugger = bad.exe means launching Notepad runs bad.exe instead.
Active Setup
| Mode | Path |
|---|
| keys | \SOFTWARE\Microsoft\Active Setup\Installed Components |
Internet Explorer extensions
| Mode | Path |
|---|
| keys | \SOFTWARE\Microsoft\Internet Explorer\Extensions |
| keys | \SOFTWARE\Microsoft\Internet Explorer\Explorer Bars |
Application compatibility shims
| Mode | Path |
|---|
| keys | \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom |
| keys | \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB |
SDB shim databases are a documented persistence vector and have been used in several APT toolkits.
Firewall rules
| Mode | Path |
|---|
| values | \SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules |
| values | \SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules |
DLL loading hooks (single values)
| Path | Hijack mechanism |
|---|
| \Software\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs | Every user-mode process linking user32.dll loads listed DLLs. |
| \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit | Process spawned at logon. Malware appends to the comma-separated list. |
| \Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell | System shell override. |
Reading the diff
New entries in any monitored location surface on the Reg Monitor tab in the form:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run --> PayloadName
The path column contains the full registry path; the value column contains the new value name (for "enum values" mode), the new sub-key name (for "enum keys" mode), or the new data (for "single value" mode).
Right-click a row and choose Open In Regedit to jump straight to the key in the registry editor.
Limitations
- The list is not exhaustive. Modern persistence techniques (COM hijacks beyond
HKCU\Software\Classes, scheduled task XML mutations, WMI subscriptions) are tracked separately on the Tasks and WMI tabs, not here.
- Existing values that change in place are not detected for "enum values" / "enum keys" modes — only new entries are reported. The "single value" entries do detect changes in data.
- Keys deleted between snapshots are not currently surfaced.