Windows
  • Introduction
  • General
    • Users
    • SAM database
  • Filesystem
    • NTFS
    • Finding files
  • Services
    • sc
  • Registry
    • reg
  • Registry Editor (GUI)
  • Access control & Permissions
    • icacls
  • User Account Control (UAC)
  • Powershell
    • Get-ChildItem
    • whoami
  • 🔍Active Directory (AD)
    • Domain Controller (DC)
    • Domain Service (AD DS)
      • Security groups
      • Organizational Units (OUs)
      • Security groups vs OUs
    • Authentication methods
      • Kerberos
      • NetNTLM
Powered by GitBook
On this page
  1. Registry

reg

query

C:\> reg query [registry_path]

The command below saves the content of the registry key (HKLM\SYSTEM) to a file named system.hive in the C:\users\jarrett directory.

save

HKLM\system refers to the SYSTEM registry hive, which contains system-wide configuration settings (under HKEY_LOCAL_MACHINE\SYSTEM).

C:\> reg save hklm\system C:\Users\jarrett\system.hive

The command below is similar to the one above, but instead with the SAM (Security Accounts Manager) registry hive, and to the destination file of sam.hive instead.

C:\> reg save hklm\sam C:\Users\jarrett\sam.hive

For the above two commands to work (working with hklm\system and hklm\sam), the current user must have certain privileges. Specifically, the SeBackupPrivilege and SeRestorePrivilege.

C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeBackupPrivilege             Back up files and directories  ...
SeRestorePrivilege            Restore files and directories  ...
...
PreviousscNextRegistry Editor (GUI)

Last updated 5 months ago