What is Registry

In the world of operating systems, there are many components that contribute to enhancing the user
experience and ensuring smooth operation. One of these components is the Windows Registry,
which plays a vital role in the operating system. But what exactly is the Windows Registry? It is a
database located on your computer’s hard drive, storing important settings for both the Windows
operating system and any other software installed on it. This registry holds information about
software configurations and hardware installation details, such as connected devices.

For example, when you enter a key to activate a program, it is stored in the Registry to ensure the
program is activated correctly.

Why is the Windows Registry important? The Windows Registry is crucial because it serves as the
central location for all of Windows' configuration data. It is the keystone on which the system
depends. On the other hand, the fact that the registry is so critical also makes it one of the operating
system's weaknesses. If the keystone is removed, the whole arch crumbles. If the registry fails,
Windows fails. Fortunately, total failure is rare, and partial failure that doesn't prevent you from
starting the computer is often easily overcome.

Accessing the Windows Registry allows users to view and explore system configuration settings. To
open it, follow these steps:

1. Press ⊞ Win + R to open the Run dialog.

2. Type regedit and press Enter.

3. If prompted for permission, click Yes to allow access.

Windows Registry Exploration Mohammad Abu Haded | 221023

Key Types & Change Wallpaper via Registry
As you can see, it is made up of main folders called keys, which contain subkeys, and finally, there
are values at the end.

Now, let's explore three important keys in the Windows Registry:

1. HKEY_CURRENT_USER: This key contains configurations specific to the current user, such
as appearance settings and user-specific application preferences.

2. HKEY_LOCAL_MACHINE: This key holds configurations that are shared across all user
accounts on the system, such as device drivers and installed software.

3. HKEY_CLASSES_ROOT: This key contains information about file associations and data
types, determining how files are opened by applications.

To reinforce the concepts further, we will now perform a practical application through an example.
However, before proceeding with any modifications, it's important to back up your registry.
Start by opening the Windows Registry Editor, then go to File and select Export. Choose a location
to save the backup and give it a meaningful name. I named it Registry_Backup_2025-04-05.

This ensures that you have a safe copy of your registry in case any issues arise during the
modification process.
Now, let's take an example of changing the desktop wallpaper through the Windows Registry. First,
open the Windows Registry Editor. Then, navigate to the following key: HKEY_CURRENT_USER 1,
and from there go to the subkey: Control Panel 2 and then click on Desktop 3. Once you're in the
Desktop subkey, look for the Wallpaper value 4. Double-click on the Wallpaper value 5, and in the
Value Data field, enter the path of the new image you want to set as your wallpaper 6. For
instance, I wanted to set the image of my cat, which I saved on my Desktop as "myCat." So, I would
enter: C:\Users\moham\OneDrive\Desktop\myCat.jpg. After making this change, the new image will
appear as the desktop wallpaper once you restart your system.

Windows Registry Exploration Mohammad Abu Haded | 221023

Change Wallpaper via Registry
Now, let's follow this practically:

1 2 3

Old value

New value

7 After modification and

Before modification restarting the device

Windows Registry Exploration Mohammad Abu Haded | 221023

Auto-Start Google via Registry
Let's take another example to better understand this: I want to make Google run automatically when I
start my computer.

To do this, open the Windows Registry, go to the key HKEY_CURRENT_USER, then navigate to the
subkey SOFTWARE, and then to Microsoft, followed by Windows, then CurrentVersion, and then
Run, right-click on an empty space or on the Run folder, then select New, and then choose String
Value, name this value and double-click on it. In the Value Data field, enter the path to the Google
application.

1 2

3 4

6 7

9
8

10 11

Windows Registry Exploration Mohammad Abu Haded | 221023

Auto-Start Google & Wallpaper via Command Prompt
After we took two examples of using Regedit, now we will approach this in another way using
Command Prompt (reg.exe). reg.exe is a command-line tool that allows you to manage and modify
the Windows registry directly from Command Prompt. It provides a simple way to add, delete, and
edit registry keys and values. To use Command Prompt, first, open it by pressing ⊞ Win + R, typing
cmd, and pressing Enter.

In the first example, when we changed the desktop background, now we will change it using this
command:

reg add "key_path" /v "value_name" /t "value_type" /d "data" /f

In the second example, when we want to make Google run automatically when we start the
computer, we will use this command:
reg add "key_path" /v "value_name" /t "value_type" /d "data" /f

Now that we’ve made those changes to the system registry and tested their effects, we may want to
restore the original values as they were before, either to ensure system stability or simply to revert to
the previous state.

Start by opening the Windows Registry Editor, then go to File and select Import. Locate the backup
file you previously saved, in my case it was named Registry_Backup_2025-04-05, and open it. This
will restore the registry to its previous state.

Windows Registry Exploration Mohammad Abu Haded | 221023

Registry Attacks & Protection
Since the Windows Registry holds great importance in the operating system, it becomes a major
target for malicious attacks that exploit it for various reasons and in different ways.
One example of this is:

Impair Defenses: the Impair Defenses technique is used by attackers to weaken or disable the
defense mechanisms that protect a system or network from cyberattacks. One common method
involves targeting the Windows Registry, specifically the key:
HKEY_LOCAL_MACHINE\Software\[Antivirus Name]\RealTimeProtection
By setting the value of this key to 0, malware can effectively disable the real-time protection feature of
antivirus software. This allows the malicious software to remain hidden within the system, move freely
within the network, and carry out further attacks such as data theft or the deployment of additional
malware, all while avoiding detection.
To protect yourself from this, ensure you have appropriate logging permissions to prevent adversaries
from disrupting or interfering with security/logging services, you should monitor any changes in
registry keys that might modify security services or programs that start when the system boots up,
and monitor any means by which this happens, such as a new suspicious process or running scripts
that do so. The most important thing is not to download or open files from unsafe sources.

End of Content

The sources:

• Top Defense Evasion Techniques Used by Malware

• Microsoft Windows Registry Guide - 2nd Edition (2005)
• Windows Registry Attacks Cheat Sheet by Harun Seker
• What is Windows Registry? and Why? by Mohammed Abu-Hadhoud.

Appendix:

ChatGPT (v4.0) by OpenAI was used for tasks such as translation, assisting with finding references,
helping to structure paragraphs, and summarizing sections of the text.

Reference:

OpenAI. (2025). ChatGPT (v4.0) [AI language model].

https://openai.com/chatgpt

Windows Registry Exploration Mohammad Abu Haded | 221023