I can’t find out why my scanner is unable to start the remote registry service. I get the following log output:
Description (Knowledge base entry) : Value/Content
---------------------------------------------------------------------------------------------------------------
Access to the registry possible (SMB/registry_access) : FALSE
Access via WMI possible (WMI/access_successful) : TRUE
...
It was not possible to connect to the PIPE\winreg on the remote host. If you intend to use the Scanner to perform registry-based checks, the registry checks will not work because the 'Remote Registry' service is not running or has been disabled on the remote host.
Please either:
- configure the 'Startup Type' of the 'Remote Registry' service on the target host to 'Automatic'.
- check the below error which might provide additional info.
The scanner tried to start the 'Remote Registry' service but received the following errors:
There was no further text in the log. There was no error to output.
I have tried all the basic troubleshooting. SMB authentication works and the credentials are valid. I manually started the remote registry service on the target and this temporarily fixes the issue, but I don’t find this solution satisfactory mostly because the VT should be able to attempt to start the service on its own.
I have tracked down the VT which attempts to start the remote registry service. The logic of the NASL script is sound, but the part which tells the server to start the remote registry service apparently never gets executed. I verified this because I expect an impacket call to be executed during this VT but it never runs.
There’s some sort of logic that causes a part of the VT to never execute and the issue only shows up for Windows Server 2012 and earlier.
I tried a full reset. I deleted all the containers and volumes and pulled them again. This fixed the issue for one test scan, but then the issue persists once again.
Not being able to access the registry on credentialed scans leaves a huge gap in my scan results.