Registry Key/Value Enumeration is a technique commonly found in advanced Remote Access Trojans (RATs). It is often implemented through a graphical user interface (GUI) that mimics the native regedit application, allowing attackers to remotely manage the Windows Registry without requiring Remote Desktop access to the actual regedit.exe GUI.

This approach serves as an alternative to command-line-based registry management, particularly in scenarios where a remote shell or terminal is either unavailable or not preferred by the RAT operator. Beyond simple enumeration and data visualization, these tools often provide additional functionality, such as creating, editing, and deleting registry keys or values, as well as performing advanced searches—capabilities covered by other techniques.

Registry enumeration is especially valuable during post-exploitation. It can be used to extract sensitive information such as software license keys (including legacy CD keys), plaintext or encrypted passwords, digital certificates, and details about the system or user environment.

Featured Windows APIs

• RegOpenKeyEx Advapi32.dll
• RegGetValue Advapi32.dll
• RegQueryInfoKey Advapi32.dll
• RegEnumKeyEx Advapi32.dll
• RegEnumValue Advapi32.dll
• RegCloseKey Advapi32.dll