Reg.exe Manipulating Windows Services Registry Keys


The search looks for reg.exe modifying registry keys that define Windows services and their configurations.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring



Alert Volume



Stage 3


Privilege Escalation
Defense Evasion

MITRE ATT&CK Techniques

New Service
Modify Existing Service
Disabling Security Tools

Kill Chain Phases


Data Sources

Endpoint Detection and Response


Reg.exe Manipulating Windows Services Registry Keys Help

This search looks for modifications to registry paths that specify the definition and configuration of Windows services by reg.exe. Reg.exe is a Windows utility that allows for manipulation of the registry via the command line. Malware often uses the Windows services architecture to persist, hide in plain sight, and gain the ability to interact with the Windows kernel. While it is common to modify the configuration of Windows services (and new services may be created with software installs), the use of reg.exe to create or modify a service configuration is unusual and a technique commonly used by attackers. The search returns the count, the first time the activity was seen, the last time activity was seen, the registry path that was modified, the host where the modification took place, and the user that performed the modification.