← Back to ATT&CK index
T1012
Query Registry
View on attack.mitre.org →6 syscalls implement this technique
- NtOpenKey
Opens an existing registry key — the kernel entry behind RegOpenKeyEx, used to reach SAM, SECURITY and persistence hives.
- NtOpenKeyEx
Extended variant of NtOpenKey accepting OpenOptions — required for symlink-following and backup-semantics opens.
- NtQueryValueKey
Reads a value from a registry key — the targeted credential and config harvest primitive.
- NtQueryMultipleValueKey
Atomically reads several registry values from a single key in one syscall.
- NtEnumerateKey
Enumerates subkeys of a registry key — used to walk AutoRun, IFEO and Services for persistence discovery.
- NtQueryKey
Returns metadata about an open registry key — name, class, subkey/value counts, last-write time.