HKEY_LOCAL_MACHINE (HKLM)

LATEST POSTINFOSEC BASICS

3/9/20253 min read

The HKEY_LOCAL_MACHINE (HKLM) registry hive is one of the most critical components of the Windows Registry. It holds system-wide configuration settings that affect all users and services running on the system. Unlike HKEY_CURRENT_USER (HKCU), which stores settings only for the currently logged-in user, HKLM applies to all users and is essential for the overall stability, security, and performance of the Windows operating system.

Structure of HKEY_LOCAL_MACHINE (HKLM)

HKLM is a hierarchical database consisting of several primary subkeys, each responsible for a different aspect of system operation.

Subkey Purpose

  • HKLM\SYSTEM System settings, boot parameters, drivers, services, and startup configurations.

  • HKLM\SOFTWARE Installed applications, Windows settings, and system-wide configurations.

  • HKLM\SECURITY Security policies, authentication data, and encryption configurations.

  • HKLM\SAM User account credentials, authentication, and login management.

  • HKLM\HARDWARE Real-time hardware configuration, device mapping, and driver management.

Each subkey contains a wealth of data used by the system, software applications, and security mechanisms.

1. HKLM\SYSTEM - System Configuration, Boot Control, and Services

The HKLM\SYSTEM key is crucial for system operation. It stores settings related to boot configurations, drivers, and Windows services. If this key is corrupted or misconfigured, the system may fail to boot.

Critical Subkeys Under HKLM\SYSTEM

  • CurrentControlSet: The active system configuration used during startup.

  • ControlSet001, ControlSet002, etc.—previous configurations used for recovery.

  • Services: Stores details about system services, drivers, and startup behavior.

  • Select: Determines the active ControlSet at boot time.

Windows Boot Process and ControlSet

The Windows operating system loads its startup configuration from CurrentControlSet, which is a reference to ControlSet00X.

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

  • Manages system startup, including registry transaction logs and file system initialization.

  • Controls PendingFileRenameOperations, used for replacing locked files after reboot.

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl

  • Configures crash dump settings for debugging after system failures.

HKLM\SYSTEM\CurrentControlSet\Services

Defines services and drivers loaded at startup.

Each service key contains:

  • Start (DWORD): Defines startup type.

  • ImagePath (REG_EXPAND_SZ): Path to the service executable.

  • ErrorControl (DWORD): Determines whether the system should attempt recovery.

Example: Managing Windows Services Using Registry

To modify a Windows service startup type, you can edit the registry:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MyService" -Name "Start" -Value 2

This sets the service to automatic startup.

2. HKLM\SOFTWARE - System Settings and Application Configuration

The HKLM\SOFTWARE key stores system-wide application settings, Windows configurations, and policy settings.

Important Subkeys in HKLM\SOFTWARE

  • Microsoft-Windows system settings, including UI customization, networking, and licensing.

  • Policies: Group Policy settings for security and user restrictions.

  • Classes: COM object registrations, file type associations.

  • Wow6432Node: Registry settings for 32-bit applications on 64-bit Windows.

Windows Policies and Restrictions

Administrators use HKLM\SOFTWARE\Policies\Microsoft\Windows to enforce security settings.

Registry Key Purpose

  • NoRun Disables the "Run" option in the Start menu.

  • DisableRegistryTools Prevents users from accessing the Registry Editor.

  • NoControlPanel Blocks access to the Control Panel.

To disable Registry Editor for all users:

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "DisableRegistryTools" -Value 1 -PropertyType DWORD

3. HKLM\SECURITY - Security Policies and Authentication Data

The HKLM\SECURITY registry hive is protected and not accessible to standard users. It contains encryption policies, authentication data, and security-related settings.

Key Security Configurations

  • HKLM\SECURITY\Policy – Contains local security policy configurations.

  • HKLM\SECURITY\Cache – Stores cached network credentials for domain authentication.

  • HKLM\SECURITY\SAM – Manages user authentication data.

Windows Security and User Account Management

Password policies are enforced via HKLM\SECURITY\Policy\Accounts.

NTLM and Kerberos authentication settings are stored under HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

To enforce password complexity rules:

New-ItemProperty -Path "HKLM:\SECURITY\Policy\Accounts" -Name "MinimumPasswordLength" -Value 12 -PropertyType DWORD

4. HKLM\SAM - User Account Management and Authentication

The HKLM\SAM hive stores user account credentials, authentication data, and security group information. The SAM database is a target for attackers seeking to extract password hashes.

User Account Details in HKLM\SAM

  • HKLM\SAM\Domains\Account\Users – Contains user account information.

  • HKLM\SAM\Domains\Builtin – Stores predefined user groups (Administrators, Guests).

  • HKLM\SAM\Domains\Aliases – Maps groups to their security identifiers (SIDs).

Extracting User Account Informatio

To list all local user accounts using PowerShell

Get-LocalUser

Direct registry access is blocked unless the system is in recovery mode or using tools like Mimikatz.

5. HKLM\HARDWARE - Real-Time Hardware Configuration

The HKLM\HARDWARE registry hive is dynamically generated at system boot and contains hardware configuration settings.

Key Subkeys in HKLM\HARDWARE

  • DESCRIPTION – Contains system BIOS, CPU, and memory details.

  • DEVICEMAP – Maps hardware components to their respective drivers.

  • RESOURCEMAP – Displays allocated system resources for hardware devices.

Device Management and Driver Configuration

The HKLM\HARDWARE\DEVICEMAP key is crucial for driver assignments. For example, HKLM\HARDWARE\DEVICEMAP\SERIALCOMM lists available COM ports.

To retrieve installed device drivers:

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion

6. Advanced HKLM Modifications and Scripting

Modifying HKLM Using Command Line

Using REG.EXE

To query a registry value:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

To create a new registry key:

reg add HKLM\SOFTWARE\Test /v TestValue /t REG_SZ /d "Data"

To delete a value:

reg delete HKLM\SOFTWARE\Test /v TestValue

Using PowerShell for HKLM Management

PowerShell provides a powerful way to interact with the registry:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion" -Name "TestValue" -Value "Data"

To remove the property:

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion" -Name "TestValue"

CONTACT

contact@f4tm4n.com

About me

Frameworks

Experiences from People

Stories from Professionals

My Exam Strategies