AnsweredAssumed Answered

Understanding Authenticated Windows Registry enumeration

Question asked by Hugo Duran on Jul 28, 2019

I am attempting to understand how does qualys ennumerates the windows registry. This question is related to the 90195 qualys ID because in the results of the denied access to the registers of one of my boxes, I have some names related to backdoors and malware in general (i.e Back Orifice 2000 and Cult of the dead cow), the problem is I asked the admin about it and some registers doesn't even exists. The qualys record is a full admin privileged account, and taking this in account I have the following questions:

  • Does the registry enumeration retrieves all keys and subkeys from the registry during scan runtime or it makes use of functions like RegQueryInfoKey to get registry values?
  • When a registry is denied. The registries logged in the results are even present currently in the System? or does qualys checks for a log or so, to present those registries?
  • Malware registries are red flags when present in the scan results?

Thanks in advance