More contained redirections coming to Registry near you…

March 19, 2017 in Forensic Analysis, Windows Registry

I recently came across an interesting bit inside the Registry of Windows 10.

The key:

  • HKLM\system\currentcontrolset\control\hiveredirectionlist

is looked at during the system boot by the smss.exe process and the latter attempts to read the following entries underneath:

  • \REGISTRY\MACHINE\HARDWARE
  • \REGISTRY\MACHINE\SECURITY
  • \REGISTRY\MACHINE\SOFTWARE
  • \REGISTRY\MACHINE\SYSTEM
  • \REGISTRY\USER\.DEFAULT
  • \REGISTRY\MACHINE\SAM

Googling around brought only one meaningful result talking about Container technology inside Windows 10 and Windows Server 2016. These entries will be used to deliver the redirection functionality intended to support a full isolation of the container.

So… now we will have Container Registry redirection, on top of a WOW Registry Redirection and WOW Registry Reflection, on top of a temporary Registry overriding, on top of INI to Registry mapping.

Share this 🙂

Comments are closed.