ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Windows 7"

From ForensicsWiki
Jump to: navigation, search
(Known keys of forensic interest)
Line 37: Line 37:
  
 
'''NTUSER Registry'''
 
'''NTUSER Registry'''
NTUSER\\Control Panel\\Desktop
+
*NTUSER\\Control Panel\\Desktop
NTUSER\\Control Panel\\don\
+
*NTUSER\\Control Panel\\don\
NTUSER\\Environment
+
*NTUSER\\Environment
NTUSER\\Network
+
*NTUSER\\Network
NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
NTUSER\\Software
+
*NTUSER\\Software
NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
NTUSER\\Software\\Ahead
+
*NTUSER\\Software\\Ahead
NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
NTUSER\\Software\\Ares
+
*NTUSER\\Software\\Ares
NTUSER\\Software\\bindshell.net\\Odysseus
+
*NTUSER\\Software\\bindshell.net\\Odysseus
NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
NTUSER\\Software\\Cain\\Settings
+
*NTUSER\\Software\\Cain\\Settings
NTUSER\\Software\\DECAFme
+
*NTUSER\\Software\\DECAFme
NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
NTUSER\\Software\\Microsoft
+
*NTUSER\\Software\\Microsoft
NTUSER\\Software\\Microsoft\\Command Processor
+
*NTUSER\\Software\\Microsoft\\Command Processor
NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
NTUSER\\Software\\Microsoft\\PIMSRV
+
*NTUSER\\Software\\Microsoft\\PIMSRV
NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
NTUSER\\Software\\Microsoft\\Windows Live Mail
+
*NTUSER\\Software\\Microsoft\\Windows Live Mail
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
NTUSER\\Software\\Nico Mak Computing\\WinZip
+
*NTUSER\\Software\\Nico Mak Computing\\WinZip
NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
NTUSER\\Software\\Piriform\\CCleaner
+
*NTUSER\\Software\\Piriform\\CCleaner
NTUSER\\Software\\Privoxy
+
*NTUSER\\Software\\Privoxy
NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
NTUSER\\Software\\Skype
+
*NTUSER\\Software\\Skype
NTUSER\\Software\\SmartLine Vision\\aports
+
*NTUSER\\Software\\SmartLine Vision\\aports
NTUSER\\Software\\SysInternals
+
*NTUSER\\Software\\SysInternals
NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
NTUSER\\Software\\VMware
+
*NTUSER\\Software\\VMware
NTUSER\\Software\\WinRAR\\ArcHistory
+
*NTUSER\\Software\\WinRAR\\ArcHistory

Revision as of 19:22, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known keys of forensic interest

SAM Registry

SAM\\SAM\\Domains\\Account\\Users

SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

Security\\Policy\\PolAcDmSPolicy\\PolPrDmS

Security\\Policy\\PolAdtEv

Security\\Policy\\Secrets

NTUSER Registry

  • NTUSER\\Control Panel\\Desktop
  • NTUSER\\Control Panel\\don\
  • NTUSER\\Environment
  • NTUSER\\Network
  • NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
  • NTUSER\\Software
  • NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
  • NTUSER\\Software\\Ahead
  • NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
  • NTUSER\\Software\\Ares
  • NTUSER\\Software\\bindshell.net\\Odysseus
  • NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
  • NTUSER\\Software\\Cain\\Settings
  • NTUSER\\Software\\DECAFme
  • NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
  • NTUSER\\Software\\Google\\NavClient\\1.1\\History
  • NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
  • NTUSER\\Software\\JavaSoft\\Prefs\\haven
  • NTUSER\\Software\\Microsoft
  • NTUSER\\Software\\Microsoft\\Command Processor
  • NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
  • NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
  • NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
  • NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
  • NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
  • NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
  • NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
  • NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
  • NTUSER\\Software\\Microsoft\\PIMSRV
  • NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
  • NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
  • NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
  • NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
  • NTUSER\\Software\\Microsoft\\User Location Service\\Client
  • NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
  • NTUSER\\Software\\Microsoft\\Windows Live Mail
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
  • NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
  • NTUSER\\Software\\Nico Mak Computing\\WinZip
  • NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
  • NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
  • NTUSER\\Software\\Piriform\\CCleaner
  • NTUSER\\Software\\Privoxy
  • NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
  • NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
  • NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
  • NTUSER\\Software\\Skype
  • NTUSER\\Software\\SmartLine Vision\\aports
  • NTUSER\\Software\\SysInternals
  • NTUSER\\Software\\Sysinternals\\RootkitRevealer
  • NTUSER\\Software\\VMware
  • NTUSER\\Software\\WinRAR\\ArcHistory