|
|
# Microsoft Windows Remote Registry Service (WINREG)
|
|
|
|
|
|
This is a [DCE/RPC](/DCE/RPC) based protocol used by [CIFS](/CIFS) hosts to access the registry across a network. This dissector is described by an IDL file and is automatically generated by the [Pidl](/Pidl) compiler.
|
|
|
|
|
|
## History
|
|
|
|
|
|
This protocol first appeared in Windows NT4 and is used to access the registry across a network.
|
|
|
|
|
|
## Protocol dependencies
|
|
|
|
|
|
- [DCE/RPC](/DCE/RPC): This protocol is implemented ontop of the [DCE/RPC](/DCE/RPC) transport. This protocol is often access from the \\PIPE\\winreg named pipe on IPC$ but can also be reached through a dynamically assigned [TCP](/TCP) port. Accessing this service using [TCP](/TCP) as transport requires the support of the [EPM](/EPM) Endpoint Mapper service.
|
|
|
|
|
|
## Example traffic
|
|
|
|
|
|
XXX - Add example traffic here (as plain text or Wireshark screenshot).
|
|
|
|
|
|
## Wireshark
|
|
|
|
|
|
The WINREG dissector is partially functional and incomplete awaiting the protocol and its idl file to be fully analyzed.
|
|
|
|
|
|
## Preference Settings
|
|
|
|
|
|
There are no preference setting specific to the WINREG protocol.
|
|
|
|
|
|
## Example capture file
|
|
|
|
|
|
XXX - Add a simple example capture file to the [SampleCaptures](/SampleCaptures) page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
|
|
|
|
|
|
- [SampleCaptures/PROTO.pcap](uploads/__moin_import__/attachments/SampleCaptures/PROTO.pcap)
|
|
|
|
|
|
## Display Filter
|
|
|
|
|
|
A complete list of WINREG display filter fields can be found in the [display filter reference](http://www.wireshark.org/docs/dfref/w/winreg.html)
|
|
|
|
|
|
Show only the WINREG based traffic:
|
|
|
|
|
|
```
|
|
|
winreg
|
|
|
```
|
|
|
|
|
|
## Capture Filter
|
|
|
|
|
|
You cannot directly filter WINREG protocols while capturing.
|
|
|
|
|
|
## Protocol Functions
|
|
|
|
|
|
The WINREG protocol implements the following functions:
|
|
|
|
|
|
- [winreg\_OpenHKCR](/winreg_OpenHKCR)
|
|
|
|
|
|
- [winreg\_OpenHKCU](/winreg_OpenHKCU)
|
|
|
|
|
|
- [winreg\_OpenHKLM](/winreg_OpenHKLM)
|
|
|
|
|
|
- [winreg\_OpenHKPD](/winreg_OpenHKPD)
|
|
|
|
|
|
- [winreg\_OpenHKU](/winreg_OpenHKU)
|
|
|
|
|
|
- [winreg\_CloseKey](/winreg_CloseKey)
|
|
|
|
|
|
- [winreg\_CreateKey](/winreg_CreateKey)
|
|
|
|
|
|
- [winreg\_DeleteKey](/winreg_DeleteKey)
|
|
|
|
|
|
- [winreg\_DeleteValue](/winreg_DeleteValue)
|
|
|
|
|
|
- [winreg\_EnumKey](/winreg_EnumKey)
|
|
|
|
|
|
- [winreg\_EnumValue](/winreg_EnumValue)
|
|
|
|
|
|
- [winreg\_FlushKey](/winreg_FlushKey)
|
|
|
|
|
|
- [winreg\_GetKeySecurity](/winreg_GetKeySecurity)
|
|
|
|
|
|
- [winreg\_LoadKey](/winreg_LoadKey)
|
|
|
|
|
|
- [winreg\_NotifyChangeKeyValue](/winreg_NotifyChangeKeyValue)
|
|
|
|
|
|
- [winreg\_OpenKey](/winreg_OpenKey)
|
|
|
|
|
|
- [winreg\_QueryInfoKey](/winreg_QueryInfoKey)
|
|
|
|
|
|
- [winreg\_QueryValue](/winreg_QueryValue)
|
|
|
|
|
|
- [winreg\_ReplaceKey](/winreg_ReplaceKey)
|
|
|
|
|
|
- [winreg\_RestoreKey](/winreg_RestoreKey)
|
|
|
|
|
|
- [winreg\_SaveKey](/winreg_SaveKey)
|
|
|
|
|
|
- [winreg\_SetKeySecurity](/winreg_SetKeySecurity)
|
|
|
|
|
|
- [winreg\_SetValue](/winreg_SetValue)
|
|
|
|
|
|
- [winreg\_UnLoadKey](/winreg_UnLoadKey)
|
|
|
|
|
|
- [winreg\_InitiateSystemShutdown](/winreg_InitiateSystemShutdown)
|
|
|
|
|
|
- [winreg\_AbortSystemShutdown](/winreg_AbortSystemShutdown)
|
|
|
|
|
|
- [winreg\_GetVersion](/winreg_GetVersion)
|
|
|
|
|
|
- [winreg\_OpenHKCC](/winreg_OpenHKCC)
|
|
|
|
|
|
- [winreg\_OpenHKDD](/winreg_OpenHKDD)
|
|
|
|
|
|
- [winreg\_QueryMultipleValues](/winreg_QueryMultipleValues)
|
|
|
|
|
|
- [winreg\_InitiateSystemShutdownEx](/winreg_InitiateSystemShutdownEx)
|
|
|
|
|
|
- [winreg\_SaveKeyEx](/winreg_SaveKeyEx)
|
|
|
|
|
|
- [winreg\_OpenHKPT](/winreg_OpenHKPT)
|
|
|
|
|
|
- [winreg\_OpenHKPN](/winreg_OpenHKPN)
|
|
|
|
|
|
- [winreg\_QueryMultipleValues2](/winreg_QueryMultipleValues2)
|
|
|
|
|
|
## External links
|
|
|
|
|
|
- <http://websvn.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_4_0/source/librpc/idl/winreg.idl> IDL definition for the WINREG interface.
|
|
|
|
|
|
## Discussion
|
|
|
|
|
|
---
|
|
|
|
|
|
Imported from https://wiki.wireshark.org/WINREG on 2020-08-11 23:27:29 UTC |