Windows Registry Actions
Malware authors use Windows Registry actions to manipulate the Windows Registry database, which stores critical system configurations and user preferences. By creating, modifying, or deleting registry keys and values, the malware can alter system behavior, persist after reboot, or evade detection. For instance, adding a new key can establish persistence, ensuring that the malware runs every time the system starts. Modifying values or changing access control lists (ACLs) might disable security features, like antivirus programs, or allow unauthorized access to sensitive system parts. Deleting keys or values could erase traces of malicious activity, further hiding the presence of the malware.
This technique is often used in attacks involving persistence (such as Remote Access Trojans or RATs), privilege escalation, and evasion. Ransomware may also utilize these actions to ensure it launches after a system restart.
Featured Windows APIs
Associated Code Snippets
| Id | Name | Language | Author | Published Date |
|---|---|---|---|---|
| 59 | Delete Registry Value |
 Delphi
|
DarkCoderSc | 3 weeks, 6 days ago. |
| 58 | Rename Registry Key |
Delphi
|
DarkCoderSc | 3 weeks, 6 days ago. |
| 56 | Create or Modify Registry Value |
Delphi
|
DarkCoderSc | 3 weeks, 6 days ago. |
| 55 | Delete Registry Key |
Delphi
|
DarkCoderSc | 3 weeks, 6 days ago. |
| 54 | Create New Registry Key (Sub Key) |
Delphi
|
DarkCoderSc | 3 weeks, 6 days ago. |
Associated Features
| Feature Name | Dangerousness | Key Categories |
|---|---|---|
 Registry Manager
|
High | Exfiltration, Credentials, Alteration, Disruption, System Management |
 Destructive Operations
|
High | Alteration, Disruption |