Wren Howell
January 4, 2023

Exploring the HKCR Registry Key

Posted on January 4, 2023  •  2 minutes  • 414 words

When I was visiting friends during Christmas break, a friend’s relative was watching basketball on a streaming site. With his permission, I asked to see his laptop to check if any strange downloads were attempted, but nothing caught my eye initially. But I saw some peculiar extensions in the recycle bin. Since I knew that he only used the computer for surfing the internet and editing documents, I decided to do some proactive hardening for him.

The Windows Registry is like a library that stores essential information about a computer’s configuration settings, preferences, and settings. The library is broken up into different sections called registry hives, each with a key and subkeys (where something is stored) and associated value (what is stored) within them.

A particular key, HKEY_CLASSES_ROOT\Directory\shell\open in the Windows Registry, contains information related to file extensions. The purpose of this key is related to defining the actions that occur when a user double-clicks or selects “Open” on a directory (folder) in the Windows File Explore. Every time a user tries to open a file on their computer, the operating system checks this key to see how to open it. For example, when a user tries to open a .txt file, Windows looks up how this application can be run (by default, it is via Notepad) and then determines how to edit and execute the file.

Since this behevior is all pre-programmed, as a user (or a system administrator), we can control how particular extensions will be executed when they are opened. This is important because threat actors use certain file extension types to get a user to execute a malicious program on a machine. One of the common file extensions that threat actors abuse is .hta extension. HTA stands for Hypertext Markup Language Application that has an executable file that contains hypertext code and could also contain VBScript or JScript code.

Since threat actors commonly abuse .hta file extensions, changing it to open in a .txt file instead of mshta.exe will buy the user some time to think and ask questions, e.g., Do I really want to execute this file? Changing these defaults could prevent the user from executing the extension automatically. This is like having a friend, parent, or relative asking, ‘Are you really sure you want to do this right now?’ Just like when sometimes we need someone to avoid making regrettable mistakes, sometimes we need to change the defaults to help us avoid decisions that we could regret later.

Follow me

My people say I don't bite