How to Audit Registry Remotely Without Administrator Access

How to Audit Registry Remotely Without Administrator Access

It is possible to audit a remote registry on a target host (even a domain controller) without being an administrator of the target. This has been asked several times over the years by fellow engineers so I decided to document how to do it.There are two things that will need to be set:

  1. Remote registry needs to be enabled on the target hostRemote Registry
  2. One of two security parameters need to be set
  • The account being leveraged needs to be a member of the Backup Operators group on the target host, or, in the case of a domain controller, the ID would need to be added the builtin\backup operators group for the domain.Backup Operators
  • If the client does not want to elevate the ID to backup operators, the ID would have to be given read access to this target host registry hive location directly: HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winregRegistry Hive

Once these two requirements are met, StealthAUDIT can audit any registry hive that is open to Authenticated Users.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.