Windows Registry & Osquery: The Easy Way to Ensure Users are Secured

The Windows registry is full of information, and with the proper tools, can be a gold mine for attackers and defenders alike. Attackers look to find specific configurations, credentials, or any information that can help them further attack systems, while defenders can use the registry to ensure that settings are configured as they are expected to. This is something that is not always easy to do with standard tools in Windows, or with the right level of performance. Fortunately, osquery solves that for us.

DevOps Connect:DevSecOps @ RSAC 2022

Let’s consider GPOs, which most organizations with a Windows environment and Domain use. GPOs are usually just a way to get a set of specific values configured in the registry.

Osquery allows us to query the registry for those values very easily.

For example, this query returns the settings related to Microsoft LAPS. 

SELECT data, path FROM registry

WHERE key = 'HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoft ServicesAdmPwd';


That was easy, but many settings in the registry are « per user ».

The registry hive « HKEY_CURRENT_USER » (HKCU) represents the path to the current user’s registry settings.

The problem when monitoring systems for security is that every user has its own set of registry settings, located under « HKEY_USERS », so querying for a specific path will not work, as different profiles get created on systems.


In order to monitor configurations that are done « per user » in Windows, we can leverage the power of wildcards in osquery:

SELECT data, path FROM registry

WHERE key (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Guillaume Ross. Read the original post at: