Back to Tech Center

Registry Modification with Real time Response

January 7, 2021

Tech Center
CrowdStrike Tech Center


CrowdStrike goes beyond traditional endpoint protection by providing extensive visibility and remediation capabilities across multiple platforms, such as Windows, MacOS, and Linux. CrowdStrike Real Time Response provides a robust remote access tool that can remediate almost all types of malicious activity performed by an adversary. 


Control the Registry

Real time response provides a list of commands that we can execute as well as the ability to run customized scripts. Accessed directly from the CrowdStrike Falcon® console, it is easy to connect to a host directly and repair any damage with a comprehensive list of commands.

RTR Command List

Real time response has the ability to repair the registry in the event that an attack has made malicious modifications to it. The REG command can delete values, load hives, query the registry, set the values, and unload hives.

RTR View the Registry

Real time response also has the ability to delete a registry value. CrowdStrike also has the ability to utilize scripts to execute commands. For example, here we can use a script to delete an offending registry value and remove an attack’s leverage of the registry.

RTR Delete Value


Here we took a look at just a sliver of what Real Time Response is capable of, but even so, we can see that it’s extremely powerful, flexible, and easy to use. It allows responders to rapidly investigate incidents and remediate any issues identified and is available for Windows, MacOS, and Linux.

More resources

Related Content