Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE
Stealthbits

How to Audit Registry Remotely Without Administrator Access

Blog >How to Audit Registry Remotely Without Administrator Access
Computer
It is possible to audit a remote registry on a target host (even a domain controller) without being an administrator of the target. This has been asked several times over the years by fellow engineers so I decided to document how to do it.There are two things that will need to be set:

  1. Remote registry needs to be enabled on the target hostRemote Registry
  2. One of two security parameters need to be set
  • The account being leveraged needs to be a member of the Backup Operators group on the target host, or, in the case of a domain controller, the ID would need to be added the builtinbackup operators group for the domain.Backup Operators
  • If the client does not want to elevate the ID to backup operators, the ID would have to be given read access to this target host registry hive location directly: HKLMSYSTEMCurrentControlSetControlSecurePipeServers winregRegistry Hive

Once these two requirements are met, StealthAUDIT can audit any registry hive that is open to Authenticated Users.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Loading

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!


Loading

© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL