~/Privilege Escalation/Windows/Binaries# cat Regedit.exe.md

Used by Windows to manipulate registry

Paths:

C:\Windows\System32\regedit.exe
C:\Windows\SysWOW64\regedit.exe

Detection: regedit.exe reading and writing to alternate data stream regedit.exe should normally not be executed by end-users

Alternate data streams

Export the target Registry key to the specified .REG file.

regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey

Import the target .REG file into the Registry.

regedit C:\ads\file.txt:regfile.reg