Arc 2: Operating the Company

"The Nervous System" — Registry & Group Policy

Jake's browser homepage has been hijacked, and Marcus's Group Policy isn't applying. Time to explore the two systems that control how Windows behaves — the Registry and Group Policy.

The Windows Registry: The Brain's Wiring

If the file system stores your data, the Registry stores your configuration. The Windows Registry is a hierarchical database that holds virtually every setting in the operating system — from what wallpaper you use, to which services start at boot, to how the network stack is configured.

Think of the Registry as the nervous system of Windows. Every decision Windows makes — what driver to load, what program to associate with .pdf files, what your default printer is, what security policies apply — comes from a Registry lookup. Without it, Windows wouldn't know how to do anything.

The Registry is organized as a tree, similar to a file system. Instead of "drives, folders, and files," it uses keys (like folders), subkeys (like subfolders), and values (like files — each has a name, a data type, and data). At the top of the tree sit five root keys.

The 5 Root Keys (Hives)

Every path in the Registry starts with one of these five root keys. They partition the configuration into logical domains:

Root Key	Abbreviation	What It Stores	Scope
HKEY_LOCAL_MACHINE	`HKLM`	All machine-wide settings: installed software, hardware configuration, system services, security policy, drivers, boot settings.	Applies to every user on this computer. Requires admin to modify most subkeys.
HKEY_CURRENT_USER	`HKCU`	Settings for the currently logged-in user: desktop background, environment variables, application preferences, mapped drives.	Applies only to the current user. Each user has their own HKCU. Users can modify their own settings without admin rights.
HKEY_CLASSES_ROOT	`HKCR`	File associations (which program opens .docx?), COM object registrations, shell extensions, MIME type mappings.	A merged view of HKLM\SOFTWARE\Classes and HKCU\SOFTWARE\Classes. Per-user settings override machine settings.
HKEY_USERS	`HKU`	Contains a subkey for every loaded user profile, identified by SID. HKCU is actually a pointer into HKU\{current user's SID}.	Contains all user profiles currently loaded in memory. The .DEFAULT subkey holds settings for the default profile.
HKEY_CURRENT_CONFIG	`HKCC`	Current hardware profile information: display settings, printer configuration. A pointer into HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current.	Rarely used directly. Contains the active hardware profile. Mostly legacy.

Key Insight: Most of the Registry you'll care about lives under two root keys: HKLM (machine-wide settings that affect everyone) and HKCU (settings for the current user only). When troubleshooting, always check both — HKCU settings override HKLM for the current user.

Registry Data Types

Every registry value has a data type that tells Windows how to interpret the stored data. Getting the type wrong can cause applications to crash or behave unpredictably.

Data Type	Description	Example
REG_SZ	A fixed-length string. The most common type. Used for text settings like paths, names, and URLs.	`Start Page` = `"https://www.meridian.local"`
REG_DWORD	A 32-bit integer (4 bytes). Used for boolean flags (0 or 1), counts, and numeric settings.	`EnableLUA` = `0x00000001` (UAC enabled)
REG_BINARY	Raw binary data. Used for complex structures, encrypted data, and hardware configurations.	Hardware device descriptors, security descriptors
REG_MULTI_SZ	A list of strings, each separated by a null character. Used when a setting needs multiple values.	List of DNS suffixes, list of services in a service group
REG_EXPAND_SZ	A string containing environment variable references (like `%SystemRoot%`) that get expanded at runtime.	`ImagePath` = `"%SystemRoot%\System32\svchost.exe -k netsvcs"`

Hive Files on Disk

The Registry may look like one giant tree, but it's actually stored across multiple hive files on disk. Each hive is a binary file that holds a specific branch of the Registry. When Windows boots, it reads these files into memory and creates the unified Registry tree you see in regedit.

Hive File	Location	Registry Branch	Contents
SAM	`C:\Windows\System32\config\SAM`	`HKLM\SAM`	Security Account Manager — local user accounts and their hashed passwords. Encrypted and locked while Windows is running.
SECURITY	`C:\Windows\System32\config\SECURITY`	`HKLM\SECURITY`	LSA (Local Security Authority) secrets, cached domain credentials, security policies. Also encrypted and locked.
SYSTEM	`C:\Windows\System32\config\SYSTEM`	`HKLM\SYSTEM`	Driver configuration, service definitions, ControlSets, hardware profiles, boot configuration.
SOFTWARE	`C:\Windows\System32\config\SOFTWARE`	`HKLM\SOFTWARE`	Machine-wide application settings, Windows Update configuration, installed programs, Group Policy settings.
NTUSER.DAT	`C:\Users\{username}\NTUSER.DAT`	`HKCU` (or `HKU\{SID}`)	Per-user settings — desktop preferences, application settings, Run keys, environment variables. One per user profile.

Forensic Note: The SAM and SECURITY hives are locked and encrypted while Windows is running — you cannot read them directly even as Administrator. Forensic tools boot from a separate OS (like a Linux live USB) to read these files offline and extract password hashes or cached credentials.

Key Registry Locations for Security

Certain registry keys are critically important for security because they control what runs on the system, when it runs, and how it behaves. These are also the keys most commonly abused by malware.

Registry Location	Purpose	Security Relevance
`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`	Programs that launch automatically when the current user logs in.	The #1 persistence mechanism for malware. Any user can write to their own HKCU Run key without admin rights.
`HKLM\Software\Microsoft\Windows\CurrentVersion\Run`	Programs that launch automatically for ALL users when anyone logs in.	Requires admin to modify. Machine-wide persistence. Check both HKCU and HKLM Run keys during investigations.
`...\CurrentVersion\RunOnce`	Programs that run once at the next logon, then the entry is automatically deleted.	Used by installers and updates, but also by malware for one-time payload execution.
`HKLM\SYSTEM\CurrentControlSet\Services`	Every Windows service is defined here: name, executable path, start type, dependencies.	Attackers create malicious services for persistence. Check the `ImagePath` value — it should point to a legitimate executable.
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`	Lists all installed programs (what appears in "Add or Remove Programs").	Useful for inventory. Malware sometimes appears here, sometimes hides from it.
`HKCR\*\shellex` and related	Shell extensions — DLLs that extend Windows Explorer with right-click menus, property sheets, icon overlays.	Malicious shell extensions run code every time Explorer starts. They load in the context of explorer.exe.
`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options`	IFEO — allows attaching a debugger to any executable before it runs.	Debugger hijacking: set the "Debugger" value for a program (e.g., notepad.exe) to point to malware. The malware runs instead of the intended program.

MITRE ATT&CK T1547.001 — Registry Run Keys: Run key persistence is one of the most common techniques observed in real-world malware. Adware, trojans, RATs (Remote Access Trojans), and ransomware all use it. Because any user can write to their own HKCU Run key without admin privileges, it is trivially easy to abuse. During any investigation, always check both HKCU\...\Run and HKLM\...\Run and compare entries against a known-good baseline.

Registry Forensic Artifacts

The Registry is a goldmine for forensic investigators. Even when users try to clean up after themselves, the Registry preserves a remarkable amount of historical activity:

ShellBags — Every folder a user has ever opened in Windows Explorer is recorded in ShellBags. This includes the folder path, view settings (icon size, sort order), window position, and timestamps. ShellBags persist even if the folder or its contents are deleted. They are stored in HKCU\Software\Microsoft\Windows\Shell\BagMRU and Bags.

MRU (Most Recently Used) Lists — Windows tracks recently opened files, typed paths in Explorer's address bar, recently searched terms, and recently used commands in the Run dialog. These lists live throughout HKCU under various MRUList and MRUListEx values. They reveal exactly what a user was working on and when.

USB Device History (USBSTOR) — Every USB storage device ever connected to the machine is recorded at HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. Each entry contains the device vendor, product name, serial number, and timestamps. This is how forensic investigators prove that a specific USB drive was plugged into a specific computer — even months after the fact.

Network Connection History — Previously connected wireless networks are stored in the Registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles. Each entry includes the network name (SSID), first and last connection timestamps, and network type (public/private/domain). This can place a laptop at a specific location at a specific time.

Forensic Principle: The Registry remembers what users forget (or try to hide). ShellBags alone can prove a user browsed a specific folder, even if the folder was subsequently deleted. USB history proves physical device connections. MRU lists reveal intent and activity. These artifacts are admissible in investigations because they are system-generated, not user-controlled.

Group Policy Objects (GPOs)

While the Registry controls individual machines, Group Policy controls entire organizations. Group Policy Objects (GPOs) are collections of settings created by administrators in Active Directory that are automatically applied to computers and users across the domain.

Think of GPOs as corporate policies implemented in software. Instead of sending an email that says "everyone must use complex passwords," you create a GPO that enforces complex passwords. Instead of trusting users to lock their screens, you create a GPO that automatically locks screens after 10 minutes.

Under the hood, GPOs work by modifying the Registry. When a GPO applies to a machine or user, the Group Policy client writes the specified settings into the appropriate registry keys. The difference is that these registry values are then locked — users and local administrators cannot override GPO-delivered settings through the normal Registry tools.

GPO Processing Order — LSDOU:

When a user logs in or a computer boots, Group Policy is applied in a strict order. Later policies override earlier ones (with exceptions for enforcement):

L — Local GPO: Settings in the local Group Policy (gpedit.msc) on the individual machine. Applied first, lowest priority.
S — Site GPOs: Policies linked to the Active Directory site (a physical network location). Rarely used but applied second.
D — Domain GPOs: Policies linked to the domain (e.g., meridian.local). Applied to every computer and user in the domain.
OU — Organizational Unit GPOs: Policies linked to the OU containing the computer or user account. Most specific, highest priority. Nested OUs apply from outermost to innermost.

The Rule: If a setting is defined in multiple GPOs, the last one applied wins. Since OU GPOs apply last, they have the highest effective priority. This is why most organizations do their real configuration at the OU level.

GPO Structure: Computer vs. User Configuration

Every GPO is divided into two independent halves:

Configuration	When It Applies	What It Controls	Registry Target
Computer Configuration	At computer startup and every 90-120 minutes	Firewall rules, audit policies, service configuration, security settings, software installation	`HKLM`
User Configuration	At user logon and every 90-120 minutes	Desktop restrictions, folder redirection, mapped drives, application settings, Start menu policies	`HKCU`

Enforcement and Inheritance Blocking: Two special mechanisms override the normal LSDOU order:

Enforcement (formerly "No Override") — A higher-level GPO can be marked as "Enforced," which means lower-level GPOs cannot override its settings. An enforced Domain GPO beats any OU GPO.
Block Inheritance — An OU can block policy inheritance from parent containers. This prevents Domain and Site GPOs from applying to that OU. However, an Enforced GPO still wins even against blocked inheritance.

Troubleshooting Tip: When a GPO setting isn't applying as expected, remember these three rules: (1) Check LSDOU order — is a higher-priority GPO overriding your setting? (2) Check enforcement and inheritance blocking. (3) Check security filtering — the GPO might not target the correct computer or user group.

GPO Management Tools

Several tools exist for creating, applying, and troubleshooting Group Policy:

Tool	Purpose	Usage
GPMC (Group Policy Management Console)	Central GUI for creating, linking, editing, and managing all GPOs in the domain.	Run `gpmc.msc` on a domain controller or admin workstation with RSAT installed.
`gpupdate /force`	Forces an immediate re-application of Group Policy on the current machine. Normally GPOs refresh every 90-120 minutes.	Run from an elevated command prompt. Applies both Computer and User policy.
`gpresult /r`	Displays the Resultant Set of Policy — which GPOs are currently applied to this computer and user.	Essential for troubleshooting. Shows applied GPOs, denied GPOs, and security group membership.
`gpresult /r /scope:computer`	Shows only computer-scope policies (run as admin).	Useful when you need to focus on machine-level policy without user configuration noise.
rsop.msc	Resultant Set of Policy snap-in — graphical view of all applied settings with their source GPO.	Launches a GUI that shows exactly which GPO is responsible for each setting. Great for conflict resolution.

Common GPO Security Settings

Here are the GPO settings most commonly configured in enterprise environments for security hardening:

Setting Category	GPO Path	What It Controls
Password Policy	Computer Config → Policies → Windows Settings → Security Settings → Account Policies → Password Policy	Minimum length (e.g., 12 characters), complexity requirements (uppercase, lowercase, number, symbol), password history (prevent reuse), maximum age (force regular changes).
Account Lockout	Computer Config → ... → Account Lockout Policy	Lock account after N failed attempts, lockout duration, reset counter after N minutes. Prevents brute-force attacks.
Logon Banner	Computer Config → ... → Local Policies → Security Options	Displays a legal warning before login ("Authorized use only..."). Required for regulatory compliance in many industries.
Restrict Control Panel	User Config → Administrative Templates → Control Panel	Prevents users from changing system settings, network configuration, or security settings through the Control Panel.
Disable USB Storage	Computer Config → Administrative Templates → System → Removable Storage Access	Blocks read/write access to USB storage devices. Prevents data exfiltration and malware introduction via removable media.
Audit Policy	Computer Config → ... → Advanced Audit Policy Configuration	Controls which security events are logged: logon/logoff events, object access, privilege use, policy changes, process creation.

The Big Picture: The Registry is the mechanism; Group Policy is the management layer. GPOs write settings into the Registry, but they do so in a controlled, centralized, and auditable way. Without GPOs, an administrator would have to manually edit the Registry on every single computer in the organization — an impossible task at enterprise scale.

Registry Hive Architecture

Click any layer to explore the major branches of the Windows Registry and their forensic significance.

Group Policy Processing Order (LSDOU)

Group Policy Objects are applied in a strict order. Later GPOs override earlier ones — unless enforcement is used. Click any node to see details.

1. Local GPO

gpedit.msc — Applied first, lowest priority

↓

2. Site GPOs

AD Site: HQ-Site — Rarely used, applied second

↓

3. Domain GPOs

meridian.local — Default Domain Policy — Domain-wide baseline

↓

4. OU GPOs

OU=Workstations — IT-Security-Baseline — More specific

↓

5. Nested OU GPOs

OU=Engineering — Engineering-Policy — Innermost OU wins

↓

Final Result

Effective policy = all GPOs merged (last setting wins)

X-Ray Mode: Registry Write — How a Program Persists via the Run Key

Watch step by step what happens inside Windows when a program adds itself to the Run key for startup persistence. This is the exact same mechanism malware uses.

Press Play to begin X-Ray walkthrough...

Investigation Lab: Browser Hijack & GPO Troubleshooting

Scenario: Two tickets have come in. Ticket #1: Jake Torelli from Sales reports that his browser homepage keeps changing to some shady search engine, and he can't fix it. He's on MD-LT-SALES07. Ticket #2: Marcus Chen from Engineering says his workstation (MD-WS-ENG05) isn't getting the new IT-Security-Baseline GPO that should be enforcing screen lock and USB restrictions. Investigate both issues.

Check Jake's browser start page: reg query "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page"

Hint: Look at the URL — is it legitimate?

Check the Run keys for suspicious entries: reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

Hint: Look for entries pointing to temp folders or unfamiliar executables

Also check the machine-wide Run keys: reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

Hint: Compare HKCU and HKLM — legitimate entries vs. suspicious ones

Remove the suspicious Run entry: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BrowserHelper" /f

Fix Jake's browser homepage: reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "about:blank" /f

Now investigate Marcus's GPO issue. Check which GPOs are applied: gpresult /r

Hint: Look for "IT-Security-Baseline" in the applied GPO list — is it missing?

Force a Group Policy refresh: gpupdate /force and then re-check with gpresult /r