anavem.
High RiskWindowsLegitimateCommonly Abused
reg.exeSYSTEM UTILITY

reg.exe - Registry Editor CLI Security Analysis

reg.exe is the Windows **Registry command-line editor** for querying and modifying the registry. Attackers use reg.exe extensively for **persistence** (Run keys), **credential harvesting** (SAM/SECURITY hives), **defense evasion** (disabling security), and **reconnaissance**. Registry modifications are central to most Windows attacks.

Risk Summary

HIGH priority for SOC triage. reg.exe can establish persistence, extract credentials, and disable security features. Monitor for modifications to Run keys, SAM/SECURITY hive exports, and security policy changes.

Overview

What is reg.exe?

reg.exe is the command-line interface for the Windows Registry.

Core Functions

Registry Operations:

  • Query registry values
  • Add/delete keys and values
  • Export/import registry data
  • Compare registry states

Security Significance

  • Persistence Central: Run keys, services
  • Credential Storage: SAM, LSA secrets
  • Security Settings: Policies, defender
  • System Configuration: Critical settings

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\reg.exe
Parentcmd.exe, powershell.exe
UserAdministrator (for HKLM)
ContextSystem administration

Legitimate Usage

reg query HKLM\SOFTWARE\...
reg export HKLM\SOFTWARE backup.reg

Common Locations

C:\Windows\System32\reg.exeC:\Windows\SysWOW64\reg.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Command:     reg query (read operations)
             reg export (documented backup)
Context:     System administration

SUSPICIOUS

Command:     reg add ...\Run /v malware
             reg save HKLM\SAM sam.hiv
             reg save HKLM\SECURITY sec.hiv
             reg add ...\Windows Defender /v DisableAntiSpyware
Context:     Persistence setup
             Credential extraction
             Security tampering

Critical Registry Targets

PathPurposeRisk
...\Run, RunOncePersistenceCRITICAL
HKLM\SAMCredentialsCRITICAL
HKLM\SECURITYLSA SecretsCRITICAL
...\Windows DefenderSecurityCRITICAL

Abuse Techniques

Attack Techniques

Technique #1: Registry Persistence (T1547.001)

Add Run Key:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Malware /t REG_SZ /d "C:\malware.exe"

Technique #2: Credential Dumping Preparation (T1003.002)

Export SAM/SECURITY:

reg save HKLM\SAM sam.hiv
reg save HKLM\SECURITY security.hiv
reg save HKLM\SYSTEM system.hiv

Technique #3: Disable Security (T1562.001)

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1

Technique #4: UAC Bypass Preparation (T1548.002)

reg add HKCU\Software\Classes\ms-settings\shell\open\command /ve /t REG_SZ /d "C:\malware.exe"

Detection Guidance

Detection Strategies

Priority #1: SAM/SECURITY Export

Process = "reg.exe" AND
CommandLine CONTAINS "save" AND
(CommandLine CONTAINS "SAM" OR "SECURITY" OR "SYSTEM")
→ ALERT: CRITICAL - Credential theft preparation

Priority #2: Run Key Modification

Process = "reg.exe" AND
CommandLine CONTAINS "add" AND
CommandLine CONTAINS "\Run"
→ ALERT: HIGH - Persistence attempt

Priority #3: Security Tampering

Process = "reg.exe" AND
CommandLine CONTAINS "Windows Defender"
→ ALERT: CRITICAL - Security tampering

Sigma Rule:

title: Registry Credential Extraction
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\reg.exe'
    CommandLine|contains|all:
      - 'save'
      - 'HKLM'
  filter:
    CommandLine|contains:
      - 'SAM'
      - 'SECURITY'
      - 'SYSTEM'
  condition: selection and filter
level: critical

Remediation Steps

Protection and Remediation

Defense: Monitor Registry Changes

Enable registry auditing for critical keys.

Defense: Restrict reg.exe

Restrict to administrators only.

If Compromise Suspected

  1. Check Run/RunOnce keys
  2. Verify no SAM exports exist
  3. Review security policy changes
  4. Check for UAC bypass keys
  5. Export and review recent changes
  6. Restore from known-good backup

Investigation Checklist

Investigation Checklist

  • Review full command line arguments
  • Check for SAM/SECURITY exports
  • Review Run key modifications
  • Check Windows Defender registry
  • Review recent registry changes
  • Check for UAC bypass patterns
  • Verify no credential hives exported
  • Review service registry entries

MITRE ATT&CK Techniques

T1547.001T1003.002T1562.001T1548.002T1112

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026