REGISTRY_TYPE

This policy item is used to check the value of a registry key type. The check is performed by calling the function RegQueryValue.

The reg_key field is the name of the registry key (“HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon”). The first part of the key (HKLM, HKU, HKCU, ...) is used to connect to the correct registry hive. In most cases the reg_key field requires a static registry entry with no wildcards, however, there is an exception allowed when searching for values within HKU (HKEY_USERS). If a path is designated under HKU, the search iterates over all user values in HKU for the value under the designated path. For example, if reg_key: "HKU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" is specified along with reg_item “brastk”, all users under HKU will be searched for the value of the “brastk” registry key under the relative path: “HKU\<user_id>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”.

For example:

Usage

This check searches under:

HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The optional field reg_option can be set to CAN_BE_NULL to force the check to succeed if the key does not exist or to the opposite CAN_NOT_BE_NULL.

Only POLICY_TEXT value_type is available for this check.

Examples

Here is an example .audit file that audits the registry type of “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon”:

Note that auditing HKCU may not work on many installations of Windows. To do so requires “Current user” keys, which typically do not exist when Nessus authenticates over SMB. To work around this, auditing HKU (all users) is possible. When the plugin detects a HKU key is being audited, it automatically loops over all the SIDs available except the .DEFAULT key. The disadvantage of this approach is that it will also audit system users (e.g., SYSTEM, NT Authority, etc.) To avoid these users, you can use the reg_ignore_hku_users.

For example:

This only works with REGISTRY_SETTING check.