Modify Registry
View on attack.mitre.org →11 syscalls implement this technique
- NtCreateKey
Creates or opens a registry key — the kernel-level primitive behind every persistence beacon written to the registry.
- NtDeleteKey
Deletes a registry key when the handle is closed — used to wipe persistence and audit-key artefacts post-execution.
- NtDeleteValueKey
Removes a single named value from an open registry key, leaving the key itself intact.
- NtSetValueKey
Writes a named value into an open registry key — the workhorse for Run-key and IFEO persistence.
- NtRenameKey
Renames an existing registry key in place — no Win32 wrapper, callable only via the NT API.
- NtUnloadKey
Detaches a previously-loaded registry hive from the configuration manager.
- NtRestoreKey
Overwrites a registry key's contents from a hive file — replaces subtrees in bulk.
- NtFlushKey
Forces all pending changes to a registry key to be written to its backing hive on disk.
- NtNotifyChangeKey
Registers an asynchronous notification for changes to a registry key and (optionally) its subtree.
- NtNotifyChangeMultipleKeys
Registers a single notification request that fires when any of several registry keys changes.
- NtSetSecurityObject
Writes a new SECURITY_DESCRIPTOR (owner / DACL / SACL / label) onto a kernel object by handle.