CompTIA
PT0-001 · Question #61
PT0-001 Question #61: Real Exam Question with Answer & Explanation
The correct answer is C: HKEY_CURRENT_USER. HKEY_CURRENT_USER is writable by standard users without elevated privileges, making it the correct hive for achieving persistence when administrative rights are unavailable.
Post-exploitation and lateral movement
Question
While trying to maintain persistence on a Windows system with limited privileges, which of the following registry keys should the tester use?
Options
- AHKEY_CLASSES_ROOT
- BHKEY_LOCAL_MACHINE
- CHKEY_CURRENT_USER
- DHKEY_CURRENT_CONFIG
Explanation
HKEY_CURRENT_USER is writable by standard users without elevated privileges, making it the correct hive for achieving persistence when administrative rights are unavailable.
Common mistakes.
- A. HKEY_CLASSES_ROOT is a merged view of HKLM and HKCU class registrations, and writing to the system-level portions of HKCR requires administrative privileges that a limited-privilege user does not have.
- B. HKEY_LOCAL_MACHINE contains system-wide configuration and requires administrative privileges to write, making it inaccessible for persistence operations under a limited user account.
- D. HKEY_CURRENT_CONFIG contains hardware profile data for the current boot session and does not provide run-key or autostart persistence mechanisms suitable for surviving reboots.
Concept tested. Windows registry persistence with limited user privileges
Reference. https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights
Topics
#registry persistence#HKCU#Windows privilege#limited privileges
Community Discussion
No community discussion yet for this question.