Peeling Back the Windows Registry Layers: A Bug Hunter's Expedition

This conference talk from Recon2024 explores the hidden complexities of the Windows Registry kernel implementation with security researcher Mateusz Jurczyk from Google Project Zero. Dive beneath the seemingly simple Registry Editor interface to discover how the underlying codebase has evolved from 10,000 lines in Windows NT 3.1 to over 100,000 in Windows 11. Learn about advanced features like transactions, app keys, and differencing hives that have expanded the attack surface for potential local privilege escalation exploits. Follow Jurczyk's extensive audit of the Windows Configuration Manager that uncovered more than 50 vulnerabilities, ranging from basic coding errors to complex design flaws requiring Microsoft to refactor significant portions of code. The presentation includes a registry bug taxonomy, detailed case studies of recently discovered vulnerabilities, Windows internals deep-dives, technical analysis, and exploit demonstrations. The 59-minute talk showcases Jurczyk's expertise in client software security, vulnerability exploitation, mitigation techniques, and Windows operating system internals.