# Windows Registry Forensics ### HKEY\_LOCAL\_MACHINE (HKLM) ``` Scope: System-wide settings and configurations. Purpose: This key contains configuration data for the entire computer and affects all users on the system. It holds information related to hardware, operating system settings, and software configurations that apply universally across all user accounts. Common Subkeys: HKLM\SYSTEM: Contains system configuration data, such as boot configuration, drivers, services, and system devices. HKLM\SOFTWARE: Stores software-related settings that apply to all users on the machine, including installed programs, their settings, and system software configurations. HKLM\SECURITY: Contains security-related data. HKLM\HARDWARE: Contains information detected at startup about the system's hardware ``` ### HKEY\_USERS (HKU) ``` Scope: User-specific settings for all users on the computer. Purpose: HKU stores individual user profile information, including personalized settings, desktop configurations, environment variables, and application preferences for each user on the system. Common Subkeys: Each user profile on the system has a subkey within HKU named after the Security Identifier (SID) associated with that user. These keys store user-specific configurations. HKU.DEFAULT: Contains settings applied to the default profile and is used as a template for new users. ``` **the following map provides a detailed and visually structured map of Windows Registry paths and keys as well , designed to assist incident responders, SOC analysts, and cybersecurity professionals in monitoring, detecting, and investigating security incidents , go to this link then download the html file** {% embed url="" %} Here is photo of the content above
### SAM (Security Account Manager) - SAM.dat ``` Location: C:\Windows\System32\config\SAM Purpose: Stores user account data, passwords (hashed), and other security-related information. Key Paths and Extractable Data: SAM\SAM\Domains\Account\Users\Names : Lists local user account names SAM\SAM\Domains\Account\Users\000001F4 : Information about the built-in administrator account, such as login attempts and account status SAM\SAM\Domains\Account\Users\ : Stores password hashes for each user ``` ### SYSTEM - SYSTEM.dat ``` Location: C:\Windows\System32\config\SYSTEM Purpose: Contains system configurations, including boot settings, time zone, and control set information. Key Paths and Extractable Data: SYSTEM\Select : Indicates the current, default, and last-known-good control sets SYSTEM\ControlSet001\Services : Information about installed services and drivers SYSTEM\ControlSet001\Control\TimeZoneInformation : Time zone settings SYSTEM\MountedDevices : Records of mounted volumes and their identifiers SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters : Prefetch settings (often manipulated by malware to evade detection) ``` ### NTUSER - NTUSER .dat ``` Location: C:\Users\\NTUSER.dat Purpose: Contains user-specific data such as recent files, browser history, and application configurations. Key Paths and Extractable Data: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs : Recently accessed documents by file type NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU : List of executed commands NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU : Last visited directories NTUSER\Software\Microsoft\Internet Explorer\TypedURLs : URLs manually typed into Internet Explorer NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 : Records of removable devices connected NTUSER\Software\Microsoft\Windows\CurrentVersion\Run : Programs set to run at startup for the specific user NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags : Shellbags record folder and directory access, especially on removable media or network shares and Useful for reconstructing file and folder browsing history, even when files are deleted ``` ### USERCLASS - USERCLASS.dat ``` Location: C:\Users\\AppData\Local\Microsoft\Windows\ Purpose: Stores settings related to Universal Windows Platform (UWP) applications and user-specific preferences. Key Paths and Extractable Data: UserClasses\{GUID}\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages : Information about installed UWP packages and Reveals information about installed modern apps and potential abuse if suspicious apps are detected ``` ### SOFTWARE - SOFTWARE.dat ``` Location: C:\Windows\System32\config\SOFTWARE Purpose: Holds system-wide software information, Windows updates, and application settings Key Paths and Extractable Data: SOFTWARE\Microsoft\Windows\CurrentVersion\Run : Programs set to run at system startup. SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows : Settings for applications launched at startup SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : List of installed programs SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths : Executable paths for installed applications ``` ### SECURITY - SECURITY.dat ``` Location: C:\Windows\System32\config\SECURITY Purpose: Contains security-related configurations, including local security policies. Key Paths and Extractable Data: SECURITY\Policy\PolAdtEv : Audit policy settings and Provides information on login policies, helping to confirm whether account settings have been changed for unauthorized access. SECURITY\Policy\PolAdtLg : Login policy settings and Provides information on login policies, helping to confirm whether account settings have been changed for unauthorized access ``` ### Browser Artifacts ``` purpoes : Artifacts such as browsing history, cookies, downloads, and form data can reveal websites visited, online behavior, and interactions and Useful in tracking activity related to phishing, malware, and exfiltration attempts Locations: Chrome: C:\Users\\AppData\Local\Google\Chrome\User Data\Default\ Firefox: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\ Edge: C:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\ ``` Here are categories of Registry paths , If you wanna divides into categories
### **1. User Communications** * **Registry Paths**: * Email accounts: `HKEY_CURRENT_USER\Software\Microsoft\Office\\Outlook\Profiles` * Skype: `HKEY_CURRENT_USER\Software\Microsoft\Skype\` * Teams: `HKEY_CURRENT_USER\Software\Microsoft\Office\Teams` * Messaging apps: Search for app-specific paths under `HKEY_CURRENT_USER\Software` ### **2. File Download** * **Registry Paths**: * Recent downloads: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU` * Firefox: `HKEY_CURRENT_USER\Software\Mozilla\Firefox\Profiles` * Internet Explorer: `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs` * Chrome/Edge: Check browser-specific paths, like `AppData` logs * **Temporary files**: * Temporary Internet files: `%USERPROFILE\AppData\Local\Microsoft\Windows\INetCache` * **Download history via Windows Defender**: * `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Threats` ### **3. Program Execution** * **Registry Paths**: * Run/RunOnce: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` * Prefetch: Analyze `%SystemRoot%\Prefetch\` * Recently used programs: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist` **Scheduled tasks**: * Task Scheduler settings: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache` ### **4. File Opening/Creation** * **Registry Paths**: * MRU (Most Recently Used): `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` * ShellBags: `HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags` * **File access/creation details**: * NTFS File System (last access/write): Use `$MFT` from forensic tools. * RecentApps (Apps that opened files): `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps` * **Windows Jump Lists**: * File usage via Taskbar/Start Menu: `%APPDATA\Microsoft\Windows\Recent\AutomaticDestinations` ### **5. File Knowledge** * **Registry Paths**: * File extensions: `HKEY_CLASSES_ROOT\.` * Open with history: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts` **Known folders**: * Downloads, Documents: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` ### `6.` **Physical Interaction** * **Registry Paths**: * USB devices: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR` * Mounted devices: `HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices` ### **7. USB Key Usage** * **Registry Paths**: * USB activity: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB` * Removable media settings: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer` ### **8. Account Usage** * **Registry Paths**: * Last logon: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` * USB serial numbers: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR` * User accounts: `HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users` ### **9. Browser Usage** * **Registry Paths**: * Internet Explorer history: `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main` * Chrome/Edge/Firefox: AppData paths like `AppData\Local\Google\Chrome\User Data`. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mahmoud-shaker.gitbook.io/dfir-notes/windows-registry-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.