악성코드에서 사용하는 Windows Registry

Windows Registry

보안 설정

“숨김파일설정” HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden “작업관리자 설정” HKCU\Software\Microsoft\Windows\CurrentVersion\policies\DisableTaskMgr “레지스트리 설정” HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools “IE 오프라인 설정” HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline “안전모드 설정” HKCU\System\CurrentControlSet\Control\SafeBoot “안티 바이러스 설정” HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride “안티 바이러스 프로그램에 대한 경고 알림” HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify “방화벽 경고 알림” HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify “방화벽 설정” HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride “업데이트 알림” HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify "사용자 계정 컨트롤 알림 설정" HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify "사용자 계정 컨트롤 설정" HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA “방화벽 예외 프로그램 설정” HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\악성코드 파일 경로 “방화벽 설정” HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\EnableFirewall “방화벽 예외 허용 설정” HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\DoNotAllowExceptions “방화벽 알림 설정” HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\DisableNotifications

기타

“OS 정보” HKLM\Software\Microsoft\Windows NT\CurrentVersion “제품 이름” HKLM\Software\Microsoft\Windows NT\CurrentVersion /v ProductName “설치 날짜” HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate “REGISTERED OWNER” HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner “시스템 경로” HKLM\Software\Microsoft\Windows NT\CurrentVersion /v SystemRoot “시간 존” HKLM\System\CurrentControlSet\Control\TimeZoneinformation /v ActiveTimeBias “MAPPED NETWORK DRIVES” HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU “마운트 디바이스” HKLM\Systern\MountedDevices “USB 디바이스” HKLM\Systern\CurrentControlSet\Enurn\USBStor “IP 포워드 실행” HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -IPEnableRouter = 1 “PASSWORD KEYS : LSA SECRETS CAN CONTAIN VPN 1 AUTOLOGON 1 OTHER PASSWORDS” HKLM\Security\Policy\Secrets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon “AUDIT POLICY” HKLM\Security\Policy\PolAdTev “KERNEL/USER SERVICES” HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services “INSTALLED SOFTWARE ON MACHINE” HKLM\Software “INSTALLED SOFTWARE FOR USER” HKCU\Software “RECENT DOCUMENTS” HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs “RECENT USER LOCATIONS” HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpensaveMRU “TYPED URLs” HKCU\Software\Microsoft\Internet Explorer\TypedURLs “MRU LISTS” HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU “LAST REGISTRY KEY ACCESSED” HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKey “STARTUP LOCATIONS” HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinRun