Registry Editor

by Lewis

Registry Editor

  1. (dash.title)
  2. Handbook
  3. Registry Editor

Registry Editor is at its core a database that stores settings for Microsoft Windows and for applications. The device drivers, services, and user interfaces can all use the registry. This is relevant because it stores a lot of data on executables on a user's PC. This means we can find a lot of data stored on even deleted applications.

Moving on to practical stuff.

There are multiple registries you can check for cheats and I'm gonna go over a couple of them.

Firstly Open the registry editor:

1. Press Windows Key + R
2. Type Regedit

Now you can go to any of the Keys below but i will explain them individually.

  1. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

    This Registry Contains all the EXE’s on this users PC (Can show deleted files too sometimes, however, it is all relevant)

    Look For “SIGN.MEDIA” - These are usually cheats or not digitally signed executables.

    You can also look for any .exe’s found in weird drives like Z, X, L.


    Otherwise, you can just read through their .exe’s and check for anything suspicious

  1. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\
    And
    Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

    This Registry Contains Recently open files. When reading through these you should start with the higher number of registries:



    In this case, you’d start with 6 and go backward.

    You should then move on to check the extensions, especially .dll, .exe, and .jar registries.


    These can sometimes be jar to read but just remember the .’s are spaces but can also be the point in the extension.

  1. Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    This Registry is another registry where you can access individual file extensions and is a way you can detect clients like NULL.



Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings

This registry just helps us see if they have prefetch enabled.



Click EnablePrefetch
If it looks different to this then they have modified or disabled their prefetch.

© Inspect Element Ltd (13017981), trading as Echo.