Skip to main content
The Reg tool connects to the Windows Remote Registry service over RPC and lets you browse registry keys, save hives, dump the SAM database, retrieve LSA secrets, read the system key, and get or set security descriptors — all without requiring an interactive session on the target.

Subcommands

CommandDescription
listList the contents of a registry key
setSet one or more values in a registry key
saveSave a registry key hive to a file
keyinfoGet metadata about a registry key
syskeyRetrieve the system key (syskey/bootkey)
dumpsamDump the SAM database
dumplsasecretsDump LSA secrets
getsdGet the security descriptor of a registry key
setsdSet the security descriptor of a registry key
getdcomappGet information about a DCOM application
For help on any subcommand, run Reg <subcommand> -h.
The dumpsam, dumplsasecrets, and syskey subcommands require administrative access on the target. Using -BackupSemantics allows a Backup Operator to open protected hive keys without requiring SeDebugPrivilege.

list

Lists the subkeys and values of a registry key. 
Reg list [options] <ServerName> <KeyPath>
ServerName
string
required
Name or address of the RPC server.
KeyPath
string
required
Registry key path, e.g. HKLM\SOFTWARE\Microsoft or HKU.
-IncludeSubkeys
boolean
default:"true"
Include subkey names in the output.
-IncludeValues
boolean
default:"true"
Include value names in the output.
-IncludeData
boolean
default:"false"
Include the data stored in each value.
-BackupSemantics (-B)
boolean
Open the key using backup semantics (requires SeBackupPrivilege).
Possible -OutputFields values: Name, ItemType, ValueType, ClassName, Value, BytesAsHexString.

Examples

Reg list -UserName marks@LUMON -Kdc 10.66.0.11 -Password She'sAlive!! LUMON-FS1 -BackupSemantics HKU

set

Sets one or more registry values across one or more keys in a single invocation. 
Reg set [options] <ServerName> [<Items>]
ServerName
string
required
Name or address of the RPC server.
Items
RegistryItemSpec[]
Key paths and value specifications interleaved on the command line.
Keys are specified as <root>\<key> or <root>/<key>. Values follow the pattern:
<type>[;<encoding>]:[<valuename>]=<data>
EncodingDescriptionExample
CUTF-16 with C-style escapeshello\n
CzUTF-16 with C-style escapes, null-terminatedhello\n
HexHex-encoded bytes0123b5
DwordDecimal, hex (0x), or binary (0b)42 / 0x2A
DwordBESame as Dword but big-endian42
FileLoad data from file as-is./data.bin
SddlSDDL string converted to binary security descriptor
Utf16UTF-16 string with C escapesTest\r\n
Utf16zUTF-16 string with C escapes, null-terminatedTest\r\n
Default encodings per type:
Value typeDefault encoding
BINARYHex
DWORDDword
DWORD_BIG_ENDIANDwordBE
EXPAND_SZUtf16z
MULTI_SZUtf16
QWORDQword
SZUtf16z
-BackupSemantics (-B)
boolean
Open keys using backup semantics.

Examples

Reg set LUMON-FS1 HKCU/SOFTWARE/Experiment sz:=DefaultValueData dword:DwordValue=42 binary;sddl:ValueContainingPermissions=O:BAG:BAD:(A;;0x1F;;;AU)

save

Saves a registry key and its entire subtree to a file on the remote server’s filesystem. 
Reg save [options] <ServerName> <KeyPath> <FileName>
ServerName
string
required
Name or address of the RPC server.
KeyPath
string
required
Registry key path to save.
FileName
string
required
Destination file path on the remote server.
-Format
string
Save file format. Possible values: Original, Latest, NotCompressed.
-BackupSemantics (-B)
boolean
Open the key using backup semantics.

keyinfo

Retrieves metadata about a registry key: subkey count, value count, last write time, and security descriptor size. 
Reg keyinfo [options] <ServerName> <KeyPath>
ServerName
string
required
Name or address of the RPC server.
KeyPath
string
required
Registry key path to inspect.
Possible -OutputFields values: ClassName, SubkeyCount, MaxSubkeyLength, MaxClassLength, ValueCount, MaxValueNameLength, MaxValueDataLength, SecurityDescriptorLength, LastWriteTime.
-BackupSemantics (-B)
boolean
Open the key using backup semantics.

syskey

Retrieves the system key (also called the boot key or syskey) from a remote system. The system key is used to encrypt sensitive data in the SAM and LSA hives. 
Reg syskey [options] <ServerName>
ServerName
string
required
Name or address of the RPC server.
-BackupSemantics (-B)
boolean
Open registry hives using backup semantics (required when running as Backup Operator).
Possible -OutputFields values: Chars, Length.

Example

Reg syskey -UserName marks@LUMON -Kdc 10.66.0.11 -Password She'sAlive!! LUMON-FS1 -BackupSemantics

dumpsam

Dumps the Security Account Manager (SAM) database from a remote system, extracting local account names and NTLM password hashes. 
Reg dumpsam [options] <ServerName>
ServerName
string
required
Name or address of the RPC server.
-BackupSemantics (-B)
boolean
Open registry hives using backup semantics. Use this when authenticating as a Backup Operator instead of a full administrator.
Possible -OutputFields values: AccountName, FullName, Rid, NtlmHashText.

Example

Reg dumpsam -UserName marks@LUMON -Kdc 10.66.0.11 -Password She'sAlive!! LUMON-FS1 -BackupSemantics
When you do not have SeDebugPrivilege, authenticate as a member of the Backup Operators group and pass -BackupSemantics to open the SAM hive without requiring debug privileges.

dumplsasecrets

Dumps LSA secrets from a remote system. LSA secrets can contain cached service account credentials, machine account passwords, and other sensitive data stored by the Local Security Authority. 
Reg dumplsasecrets [options] <ServerName>
ServerName
string
required
Name or address of the RPC server.
-BackupSemantics (-B)
boolean
Open registry hives using backup semantics.
Possible -OutputFields values: Name, CurrentValueHex, OldValueHex, CurrentUpdateTime, OldUpdateTime, SecurityDescriptorSddl.

Example

Reg dumplsasecrets -UserName marks@LUMON -Kdc 10.66.0.11 -Password She'sAlive!! LUMON-FS1 -BackupSemantics

getsd

Retrieves the security descriptor of a registry key, including the DACL, owner, group, and optionally the SACL. 
Reg getsd [options] <ServerName> <KeyPath>
ServerName
string
required
Name or address of the RPC server.
KeyPath
string
required
Registry key path whose security descriptor to retrieve.
-IncludeDacl
boolean
default:"true"
Request the discretionary ACL.
-IncludeOwner
boolean
default:"true"
Request the owner SID.
-IncludeGroup
boolean
default:"true"
Request the group SID.
-IncludeSacl
boolean
Request the system ACL (requires SeSecurityPrivilege).
-BackupSemantics (-B)
boolean
Open the key using backup semantics.
By default, getsd requests the DACL, owner, and group. If you specify any of the -Include* flags explicitly, only the components you list are requested.

Examples

Reg getsd LUMON-FS1 HKCU\Software

setsd

Sets the security descriptor of a registry key using an SDDL string. 
Reg setsd [options] -SecurityDescriptor <SecurityDescriptor> <ServerName> <KeyPath> <SecurityDescriptor>
ServerName
string
required
Name or address of the RPC server.
KeyPath
string
required
Registry key path to update.
-SecurityDescriptor
string
required
SDDL string representing the security descriptor to apply.
-BackupSemantics (-B)
boolean
Open the key using backup semantics.

Example

Reg setsd LUMON-FS1 -username marks@LUMON -password She's@live!! -Kdc lumon-dc1 -BackupSemantics HKCU\Software\Microsoft D:AI(A;CIID;0x20019;;;BU)(A;CIID;0xF003F;;;BA)(A;CIID;0xF003F;;;SY)(A;CIIOID;0xF003F;;;CO)

getdcomapp

Reads DCOM application configuration from the registry, including launch and access permissions. 
Reg getdcomapp [options] -AppId <Guid[]> <ServerName> <AppId>
ServerName
string
required
Name or address of the RPC server.
-AppId
Guid[]
required
One or more AppID GUIDs to retrieve information for.
Possible -OutputFields values: AppId, Title, LaunchPermissions, AccessPermissions, IsDllSurrogate, LocalService, ServiceParameters, RunAs, PreferredServerBitness, AuthenticationLevel.
-BackupSemantics (-B)
boolean
Open registry keys using backup semantics.

Common options

All Reg subcommands accept these shared RPC and SMB connection options.
OptionDescription
-SpnegoUse SPNEGO for authentication
-AuthEpmAuthenticate EP mapper requests
-EncryptEpmEncrypt EP mapper requests
-EncryptRpcEncrypt RPC messages
-PreferSmbUse named pipes over SMB instead of TCP when available
OptionDescription
-DialectsSMB2 dialects to negotiate: Smb2_0_2, Smb2_1, Smb3_0, Smb3_0_2, Smb3_1_1
-RequireSigning (-signreq)Require SMB packet signing
-RequireSecureNegotiateRequire authenticated negotiation
-EncryptSmbRequire an encrypted SMB connection
-FollowDfs (-F)Follow DFS referrals (default: true)
OptionDescription
-UserName (-u)User name (without domain)
-UserDomain (-ud)User domain
-Password (-p)Password
-NtlmHashNTLM hash for pass-the-hash
-AesKeyAES-128 or AES-256 Kerberos key
-TgtTGT file path (.kirbi or ccache)
-Kdc (-K)KDC endpoint
OptionDescription
-HostAddress (-ha)Override network address
-UseTcp6Only (-6)Force IPv6
-UseTcp4Only (-4)Force IPv4
-Socks5SOCKS5 proxy endpoint

Sddl

Parse and describe security descriptors returned by getsd.

Dcom

Invoke methods on DCOM objects whose configuration you read with getdcomapp.

Build docs developers (and LLMs) love

Get started for freeTalk to us