IN this Section I am going to talk about the important aspects of Windows Registry
HKEY_LOCAL_MACHINE (HKLM)
Scope: System-wide settings and configurations.
Purpose: This key contains configuration data for the entire computer and affects all users on the system. It holds information related to hardware, operating system settings, and software configurations that apply universally across all user accounts.
Common Subkeys:
HKLM\SYSTEM: Contains system configuration data, such as boot configuration, drivers, services, and system devices.
HKLM\SOFTWARE: Stores software-related settings that apply to all users on the machine, including installed programs, their settings, and system software configurations.
HKLM\SECURITY: Contains security-related data.
HKLM\HARDWARE: Contains information detected at startup about the system's hardware
HKEY_USERS (HKU)
Scope: User-specific settings for all users on the computer.
Purpose: HKU stores individual user profile information, including personalized settings, desktop configurations, environment variables, and application preferences for each user on the system.
Common Subkeys:
Each user profile on the system has a subkey within HKU named after the Security Identifier (SID) associated with that user. These keys store user-specific configurations.
HKU.DEFAULT: Contains settings applied to the default profile and is used as a template for new users.
the following map provides a detailed and visually structured map of Windows Registry paths and keys as well , designed to assist incident responders, SOC analysts, and cybersecurity professionals in monitoring, detecting, and investigating security incidents , go to this link then download the html file
Here is photo of the content above
SAM (Security Account Manager) - SAM.dat
Location: C:\Windows\System32\config\SAM
Purpose: Stores user account data, passwords (hashed), and other security-related information.
Key Paths and Extractable Data:
SAM\SAM\Domains\Account\Users\Names : Lists local user account names
SAM\SAM\Domains\Account\Users\000001F4 : Information about the built-in administrator account, such as login attempts and account status
SAM\SAM\Domains\Account\Users\<User_RID> : Stores password hashes for each user
SYSTEM - SYSTEM.dat
Location: C:\Windows\System32\config\SYSTEM
Purpose: Contains system configurations, including boot settings, time zone, and control set information.
Key Paths and Extractable Data:
SYSTEM\Select : Indicates the current, default, and last-known-good control sets
SYSTEM\ControlSet001\Services : Information about installed services and drivers
SYSTEM\ControlSet001\Control\TimeZoneInformation : Time zone settings
SYSTEM\MountedDevices : Records of mounted volumes and their identifiers
SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters : Prefetch settings (often manipulated by malware to evade detection)
NTUSER - NTUSER .dat
Location: C:\Users\<Username>\NTUSER.dat
Purpose: Contains user-specific data such as recent files, browser history, and application configurations.
Key Paths and Extractable Data:
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs : Recently accessed documents by file type
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU : List of executed commands
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU : Last visited directories
NTUSER\Software\Microsoft\Internet Explorer\TypedURLs : URLs manually typed into Internet Explorer
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 : Records of removable devices connected
NTUSER\Software\Microsoft\Windows\CurrentVersion\Run : Programs set to run at startup for the specific user
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags : Shellbags record folder and directory access, especially on removable media or network shares and Useful for reconstructing file and folder browsing history, even when files are deleted
USERCLASS - USERCLASS.dat
Location: C:\Users\<Username>\AppData\Local\Microsoft\Windows\
Purpose: Stores settings related to Universal Windows Platform (UWP) applications and user-specific preferences.
Key Paths and Extractable Data:
UserClasses\{GUID}\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages : Information about installed UWP packages and Reveals information about installed modern apps and potential abuse if suspicious apps are detected
SOFTWARE - SOFTWARE.dat
Location: C:\Windows\System32\config\SOFTWARE
Purpose: Holds system-wide software information, Windows updates, and application settings
Key Paths and Extractable Data:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run : Programs set to run at system startup.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Settings for applications launched at startup
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : List of installed programs
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths : Executable paths for installed applications
SECURITY - SECURITY.dat
Location: C:\Windows\System32\config\SECURITY
Purpose: Contains security-related configurations, including local security policies.
Key Paths and Extractable Data:
SECURITY\Policy\PolAdtEv : Audit policy settings and Provides information on login policies, helping to confirm whether account settings have been changed for unauthorized access.
SECURITY\Policy\PolAdtLg : Login policy settings and Provides information on login policies, helping to confirm whether account settings have been changed for unauthorized access
Browser Artifacts
purpoes : Artifacts such as browsing history, cookies, downloads, and form data can reveal websites visited, online behavior, and interactions and Useful in tracking activity related to phishing, malware, and exfiltration attempts
Locations:
Chrome: C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default\
Firefox: C:\Users\<User>\AppData\Roaming\Mozilla\Firefox\Profiles\
Edge: C:\Users\<User>\AppData\Local\Microsoft\Edge\User Data\Default\
Here are categories of Registry paths , If you wanna divides into categories
