Windows Registry Forensics

IN this Section I am going to talk about the important aspects of Windows Registry

HKEY_LOCAL_MACHINE (HKLM)

Scope: System-wide settings and configurations.
Purpose: This key contains configuration data for the entire computer and affects all users on the system. It holds information related to hardware, operating system settings, and software configurations that apply universally across all user accounts.

Common Subkeys:
    HKLM\SYSTEM: Contains system configuration data, such as boot configuration, drivers, services, and system devices.
    HKLM\SOFTWARE: Stores software-related settings that apply to all users on the machine, including installed programs, their settings, and system software configurations.
    HKLM\SECURITY: Contains security-related data.
    HKLM\HARDWARE: Contains information detected at startup about the system's hardware

HKEY_USERS (HKU)


Scope: User-specific settings for all users on the computer.
Purpose: HKU stores individual user profile information, including personalized settings, desktop configurations, environment variables, and application preferences for each user on the system.

Common Subkeys:
    Each user profile on the system has a subkey within HKU named after the Security Identifier (SID) associated with that user.     These keys store user-specific configurations.
    HKU.DEFAULT: Contains settings applied to the default profile and is used as a template for new users.

the following map provides a detailed and visually structured map of Windows Registry paths and keys as well , designed to assist incident responders, SOC analysts, and cybersecurity professionals in monitoring, detecting, and investigating security incidents , go to this link then download the html file

Investigator-Hand/windows Registry Map.drawio.html at main · 0Xdarkday/Investigator-HandGitHub

Here is photo of the content above

SAM (Security Account Manager) - SAM.dat

Location: C:\Windows\System32\config\SAM
Purpose: Stores user account data, passwords (hashed), and other security-related information.
Key Paths and Extractable Data:

SAM\SAM\Domains\Account\Users\Names : Lists local user account names

SAM\SAM\Domains\Account\Users\000001F4 : Information about the built-in administrator account, such as login attempts and account status 

SAM\SAM\Domains\Account\Users\<User_RID> : Stores password hashes for each user

SYSTEM - SYSTEM.dat

Location: C:\Windows\System32\config\SYSTEM 
Purpose: Contains system configurations, including boot settings, time zone, and control set information.
Key Paths and Extractable Data:

SYSTEM\Select : Indicates the current, default, and last-known-good control sets

SYSTEM\ControlSet001\Services :  Information about installed services and drivers 

SYSTEM\ControlSet001\Control\TimeZoneInformation : Time zone settings 

SYSTEM\MountedDevices : Records of mounted volumes and their identifiers 

SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters : Prefetch settings (often manipulated by malware to evade detection)

NTUSER - NTUSER .dat

Location: C:\Users\<Username>\NTUSER.dat 
Purpose: Contains user-specific data such as recent files, browser history, and application configurations.
Key Paths and Extractable Data: 

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs :  Recently accessed documents by file type

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU      :  List of executed commands

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU : Last visited directories 

NTUSER\Software\Microsoft\Internet Explorer\TypedURLs   : URLs manually typed into Internet Explorer 

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 : Records of removable devices connected 

NTUSER\Software\Microsoft\Windows\CurrentVersion\Run : Programs set to run at startup for the specific user 

NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags : Shellbags record folder and directory access, especially on removable media or network shares and Useful for reconstructing file and folder browsing history, even when files are deleted

USERCLASS - USERCLASS.dat

Location: C:\Users\<Username>\AppData\Local\Microsoft\Windows\
Purpose: Stores settings related to Universal Windows Platform (UWP) applications and user-specific preferences.
Key Paths and Extractable Data:

UserClasses\{GUID}\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages : Information about installed UWP packages and Reveals information about installed modern apps and potential abuse if suspicious apps are detected

SOFTWARE - SOFTWARE.dat

Location: C:\Windows\System32\config\SOFTWARE
Purpose: Holds system-wide software information, Windows updates, and application settings
Key Paths and Extractable Data: 

SOFTWARE\Microsoft\Windows\CurrentVersion\Run : Programs set to run at system startup. 

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Settings for applications launched at startup 

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : List of installed programs 

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths : Executable paths for installed applications

SECURITY - SECURITY.dat

Location: C:\Windows\System32\config\SECURITY
Purpose: Contains security-related configurations, including local security policies.
Key Paths and Extractable Data: 

SECURITY\Policy\PolAdtEv : Audit policy settings and Provides information on login policies, helping to confirm whether account settings have been changed for unauthorized access. 

SECURITY\Policy\PolAdtLg : Login policy settings and Provides information on login policies, helping to confirm whether account settings have been changed for unauthorized access

Browser Artifacts

purpoes : Artifacts such as browsing history, cookies, downloads, and form data can reveal websites visited, online behavior, and interactions and Useful in tracking activity related to phishing, malware, and exfiltration attempts
Locations:
Chrome: C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default\

Firefox: C:\Users\<User>\AppData\Roaming\Mozilla\Firefox\Profiles\     

Edge: C:\Users\<User>\AppData\Local\Microsoft\Edge\User Data\Default\

Here are categories of Registry paths , If you wanna divides into categories

1. User Communications

Registry Paths:
Email accounts: HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\Profiles
Skype: HKEY_CURRENT_USER\Software\Microsoft\Skype\
Teams: HKEY_CURRENT_USER\Software\Microsoft\Office\Teams
Messaging apps: Search for app-specific paths under HKEY_CURRENT_USER\Software

2. File Download

Registry Paths:
- Recent downloads: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
- Firefox: HKEY_CURRENT_USER\Software\Mozilla\Firefox\Profiles
- Internet Explorer: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
- Chrome/Edge: Check browser-specific paths, like AppData logs
- Temporary files:
  - Temporary Internet files: %USERPROFILE\AppData\Local\Microsoft\Windows\INetCache
- Download history via Windows Defender:
  - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Threats

3. Program Execution

Registry Paths:
- Run/RunOnce: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Prefetch: Analyze %SystemRoot%\Prefetch\
- Recently used programs: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Scheduled tasks:
- Task Scheduler settings: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

4. File Opening/Creation

Registry Paths:
- MRU (Most Recently Used): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
- ShellBags: HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
- File access/creation details:
  - NTFS File System (last access/write): Use $MFT from forensic tools.
  - RecentApps (Apps that opened files): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps
- Windows Jump Lists:
  - File usage via Taskbar/Start Menu: %APPDATA\Microsoft\Windows\Recent\AutomaticDestinations

5. File Knowledge

Registry Paths:
- File extensions: HKEY_CLASSES_ROOT\.<extension>
- Open with history: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Known folders:
- Downloads, Documents: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

`6.` Physical Interaction

Registry Paths:
- USB devices: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
- Mounted devices: HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

7. USB Key Usage

Registry Paths:
- USB activity: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
- Removable media settings: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

8. Account Usage

Registry Paths:
- Last logon: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
- USB serial numbers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
- User accounts: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

9. Browser Usage

Registry Paths:
- Internet Explorer history: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Chrome/Edge/Firefox: AppData paths like AppData\Local\Google\Chrome\User Data.

Previouswindows Memory Forensics NextWindows Registry Forensics with RegRipper

Last updated 1 year ago

hashtagHKEY_LOCAL_MACHINE (HKLM)

hashtagHKEY_USERS (HKU)

hashtagSAM (Security Account Manager) - SAM.dat

hashtagSYSTEM - SYSTEM.dat

hashtagNTUSER - NTUSER .dat

hashtagUSERCLASS - USERCLASS.dat

hashtagSOFTWARE - SOFTWARE.dat

hashtagSECURITY - SECURITY.dat

hashtagBrowser Artifacts

hashtag1. User Communications

hashtag2. File Download

hashtag3. Program Execution

hashtag4. File Opening/Creation

hashtag5. File Knowledge

hashtag6. Physical Interaction

hashtag7. USB Key Usage

hashtag8. Account Usage

hashtag9. Browser Usage