Difference between pages "Windows 7" and "Windows Vista"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(File System)
 
Line 1: Line 1:
 
== New Features ==
 
== New Features ==
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
* [[BitLocker Disk Encryption | BitLocker]]
* [[Jump Lists]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
* [[Sticky Notes]]
+
* [[ReadyBoost]]
 +
* [[SuperFetch]]
 +
* [[NTFS|Transactional NTFS (TxF)]]
 +
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 +
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
  
 
== File System ==  
 
== File System ==  
The file system on Windows 7 is primarily [[NTFS]].
+
The file system used by Windows Vista is primarily [[NTFS]].
  
== SSD ==
+
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'. Note that this feature has been around since as early as Windows 2000 [http://technet.microsoft.com/en-us/library/cc959914.aspx].
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
 
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
<blockquote>
+
Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.
+
</blockquote>
+
 
+
== Jump Lists ==
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
  
 
== Registry ==  
 
== Registry ==  
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows 7 operating system.
+
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows Vista operating system.
 
+
=== Known Registry keys of forensic interest ===
+
 
+
====SAM Registry====
+
*SAM\SAM\Domains\Account\Users
+
*SAM\SAM\Domains\Builtin\Aliases
+
 
+
 
+
====Security Registry====
+
 
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
+
*Security\Policy\PolAdtEv
+
*Security\Policy\Secrets
+
 
+
====NTUSER Registry====
+
*NTUSER\Control Panel\Desktop
+
*NTUSER\Control Panel\don\
+
*NTUSER\Environment
+
*NTUSER\Network
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
+
*NTUSER\Software\Ahead
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
+
*NTUSER\Software\Ares
+
*NTUSER\Software\bindshell.net\Odysseus
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
+
*NTUSER\Software\Cain\Settings
+
*NTUSER\Software\DECAFme
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
+
*NTUSER\Software\Google\NavClient\1.1\History
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
+
*NTUSER\Software\JavaSoft\Prefs\haven
+
*NTUSER\Software\Microsoft
+
*NTUSER\Software\Microsoft\Command Processor
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
+
*NTUSER\Software\Microsoft\PIMSRV
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\User Location Service\Client
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
+
*NTUSER\Software\Microsoft\Windows Live Mail
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
+
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
+
*NTUSER\Software\Nico Mak Computing\WinZip
+
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
+
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\Piriform\CCleaner
+
*NTUSER\Software\Privoxy
+
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
+
*NTUSER\Software\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
+
*NTUSER\Software\Skype
+
*NTUSER\Software\SmartLine Vision\aports
+
*NTUSER\Software\SysInternals
+
*NTUSER\Software\Sysinternals\RootkitRevealer
+
*NTUSER\Software\VMware
+
*NTUSER\Software\WinRAR\ArcHistory
+
  
 
== See Also ==
 
== See Also ==
 
* [[Windows]]
 
* [[Windows]]
* [[Windows Vista]]
+
* [[Windows 7]]
 
* [[Windows 8]]
 
* [[Windows 8]]
 +
 +
== External Links ==
  
 
[[Category:Operating systems]]
 
[[Category:Operating systems]]

Revision as of 09:31, 14 September 2013

New Features

File System

The file system used by Windows Vista is primarily NTFS.

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by the user if desired via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'. Note that this feature has been around since as early as Windows 2000 [1].

Registry

The Windows Registry remains a central component of the Windows Vista operating system.

See Also

External Links