Difference between pages "Windows" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Introduced in Windows 8)
 
 
Line 1: Line 1:
{{Expand}}
+
== New Features ==
 
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
 
+
There are 2 main branches of Windows:
+
* the DOS-branch: i.e. Windows 95, 98, ME
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
 
+
== Features ==
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
 
+
=== Introduced in Windows NT ===
+
* [[NTFS]]
+
 
+
=== Introduced in Windows 2000 ===
+
 
+
=== Introduced in Windows XP ===
+
* [[Prefetch]]
+
* System Restore (Restore Points); also present in Windows ME
+
 
+
==== SP2 ====
+
* Windows Firewall
+
 
+
=== Introduced in Windows 2003 (Server) ===
+
* Volume Shadow Copies
+
 
+
=== Introduced in Windows Vista ===
+
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
 
+
=== Introduced in Windows 2008 (Server) ===
+
 
+
=== Introduced in Windows 7 ===
+
 
* [[BitLocker Disk Encryption | BitLocker To Go]]
 
* [[BitLocker Disk Encryption | BitLocker To Go]]
 
* [[Jump Lists]]
 
* [[Jump Lists]]
 
* [[Sticky Notes]]
 
* [[Sticky Notes]]
  
=== Introduced in Windows 8 ===
+
== File System ==  
* [[Windows Shadow Volumes | File History]]
+
The file system on Windows 7 is primarily [[NTFS]].
* [[Windows Storage Spaces | Storage Spaces]]
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
+
  
=== Introduced in Windows Server 2012 ===
+
== SSD ==
* [[Resilient File System (ReFS)]]
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
  
== Forensics ==
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<blockquote>
 +
Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.
 +
</blockquote>
  
=== Partition layout ===
+
== Jump Lists ==
Default partition layout, first partition starts:
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
* at sector 63 in Windows 2000, XP, 2003
+
* at sector 2048 in Windows Vista, 2008, 7
+
  
=== Filesystems ===
+
== Registry ==  
* [[FAT]], [[FAT|exFAT]]
+
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows 7 operating system.
* [[NTFS]]
+
* [[Resilient File System (ReFS) | ReFS]]
+
  
=== Recycle Bin ===
+
=== Known Registry keys of forensic interest ===
  
==== RECYCLER ====
+
====SAM Registry====
Used by Windows 2000, XP.
+
*SAM\SAM\Domains\Account\Users
Uses INFO2 file.
+
*SAM\SAM\Domains\Builtin\Aliases
  
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
 
  
==== $RECYCLE.BIN ====
+
====Security Registry====
Used by Windows Vista.
+
Uses $I and $R files.
+
  
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
 +
*Security\Policy\PolAdtEv
 +
*Security\Policy\Secrets
  
=== Registry ===
+
====NTUSER Registry====
 
+
*NTUSER\Control Panel\Desktop
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
*NTUSER\Control Panel\don\
 
+
*NTUSER\Environment
=== Thumbs.db Files ===
+
*NTUSER\Network
 
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
 
+
*NTUSER\Software\Ahead
See also: [[Vista thumbcache]].
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
 
+
*NTUSER\Software\Ares
=== Browser Cache ===
+
*NTUSER\Software\bindshell.net\Odysseus
 
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
=== Browser History ===
+
*NTUSER\Software\Cain\Settings
 
+
*NTUSER\Software\DECAFme
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
 
+
*NTUSER\Software\Google\NavClient\1.1\History
=== Search ===
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
See [[Windows Desktop Search]]
+
*NTUSER\Software\JavaSoft\Prefs\haven
 
+
*NTUSER\Software\Microsoft
=== Setup log files (setupapi.log) ===
+
*NTUSER\Software\Microsoft\Command Processor
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
 
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
=== Sleep/Hibernation ===
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
 
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
 
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
=== Users ===
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
<pre>
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
</pre>
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
 
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
The %SID%\ProfileImagePath value should also contain the username.
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
 
+
*NTUSER\Software\Microsoft\PIMSRV
=== Windows Error Reporting (WER) ===
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
 
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
<pre>
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
C:\ProgramData\Microsoft\Windows\WER\
+
*NTUSER\Software\Microsoft\User Location Service\Client
</pre>
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
 
+
*NTUSER\Software\Microsoft\Windows Live Mail
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
<pre>
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
</pre>
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Corresponding registry key:
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
<pre>
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
</pre>
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
 
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
== Advanced Format (4KB Sector) Hard Drives ==
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
 
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
== %SystemRoot% ==
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
The actual value of %SystemRoot% is store in the following registry value:
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
<pre>
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
Value: SystemRoot
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
</pre>
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
 +
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
 +
*NTUSER\Software\Nico Mak Computing\WinZip
 +
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
 +
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\Piriform\CCleaner
 +
*NTUSER\Software\Privoxy
 +
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
 +
*NTUSER\Software\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
 +
*NTUSER\Software\Skype
 +
*NTUSER\Software\SmartLine Vision\aports
 +
*NTUSER\Software\SysInternals
 +
*NTUSER\Software\Sysinternals\RootkitRevealer
 +
*NTUSER\Software\VMware
 +
*NTUSER\Software\WinRAR\ArcHistory
  
 
== See Also ==
 
== See Also ==
* [[Windows Event Log (EVT)]]
+
* [[Windows]]
* [[Windows XML Event Log (EVTX)]]
+
* [[Windows Vista]]
* [[Windows 7]]
+
 
* [[Windows 8]]
 
* [[Windows 8]]
 
== External Links ==
 
 
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
 
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
 
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
 
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
 
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
 
 
=== Malware/Rootkits ===
 
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
 
 
=== Tracking removable media ===
 
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
 
 
=== Under the hood ===
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
 
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
 
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
 
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
 
 
==== MSI ====
 
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
 
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
 
 
==== Side-by-side (WinSxS) ====
 
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
 
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
 
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
 
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
 
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
 
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
 
 
==== Application Compatibility Database ====
 
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 
 
==== System Restore (Restore Points) ====
 
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
 
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
 
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
 
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
 
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
 
 
==== Crash dumps ====
 
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
 
 
==== ReadyBoost ====
 
* [http://en.wikipedia.org/wiki/ReadyBoost Wikipedia: ReadyBoost]
 
* [http://windowsir.blogspot.ch/2013/04/plugin-emdmgmt.html Plugin: EMDMgmt], by [[Harlan Carvey]], April 05, 2013
 
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-65-understanding-artifacts.html Understanding the artifacts EMDMgmt], by [[David Cowen]], August 27, 2013
 
 
==== Windows Firewall ====
 
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
 
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
 
 
==== Windows 32-bit on Windows 64-bit (WoW64) ====
 
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
 
 
=== Windows XP ===
 
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
 
  
 
[[Category:Operating systems]]
 
[[Category:Operating systems]]

Revision as of 08:20, 14 September 2013

New Features

File System

The file system on Windows 7 is primarily NTFS.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states:

Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.

Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory

See Also