Difference between pages "Full Disk Encryption" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Known keys of forensic interest)
 
Line 1: Line 1:
'''Full Disk Encryption''' or '''Whole Disk Encryption''' is a phrase that was coined by [[Seagate]] to describe their encrypting [[hard drive]]. Under such a system, the entire contents of a hard drive are encrypted. This is different from [[Full Volume Encryption]] where only certain partitions are encrypted.
 
  
Some examples of full disk encryption:
 
  
== Hardware Solutions ==
+
== File Structure ==  
=== Embedded into internal HDD ===
+
File systems are covered separately.
; Hitachi ''Bulk Data Encryption'' ("BDE")
+
: http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf
+
* FIPS 197 (Federal Information Processing Standard 197 certification issued by NIST)
+
* [http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html AES-128]
+
; Seagate ''Full Disk Encryption'' ("FDE")
+
: http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf
+
: Seagate's encrypted drives are only available as OEM products. Seagate provides no software to utilize encrypted drive features (such as key management).  There is a proprietary Windows-only API, but it is not available to the public.
+
* [http://www.seagate.com/ww/v/index.jsp?name=st9500422as-momentus-7200-fde-fips-140-2-sata-500gb-hd&vgnextoid=0be9f080d2c55210VgnVCM1000001a48090aRCRD&locale=en-US&pf=1 FIPS 140-2] (Federal Information Processing Standard 140-2 certification issued by NIST)
+
; Toshiba ''Self-Encrypting Drives'' ("SED")
+
* [http://sdd.toshiba.com/main.aspx?Path=ServicesSupport/Self-EncryptingDrives AES-256] (certification issued by NIST)
+
  
=== Supplemental Hardware / External Chassis ===
+
== SSD ==
; Addonics product lines
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
: http://www.addonics.com/products/cipher/CPD256U.asp
+
  
; Apricorn product lines
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
: http://www.apricorn.com/products.php?cat_id=72
+
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
  
; DigiSafe
+
: http://www.digisafe.com/products/products_DiskCryptMobile.htm
+
  
; Eracom Technology DiskProtect
 
: http://www.eracom-tech.com/drive_encryption.0.html
 
  
; iStorage DiskCrypt Mobile
+
== Jump Lists ==
: http://www.istorage-uk.com/diskcryptmobile.php
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
  
; Network Appliance (Decru)
+
== Registry ==
: http://www.netapp.com/ftp/decru-fileshredding.pdf
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
: http://www.netapp.com/us/products/storage-security-systems/
+
: http://www.forensicswiki.org/images/6/6f/Securing_Storage_White_Paper.pdf (Decru white paper)
+
  
== Software Solutions ==
+
== Known Registry keys of forensic interest ==
  
; beCrypt
+
'''SAM Registry'''
: http://www.becrypt.com/our_products/disk_protect.php
+
  
; [[BitArmor]] [[DataControl]]
+
*SAM\\SAM\\Domains\\Account\\Users
: FDE tool that protects fixed and removable media.
+
*SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
  
; [[BitLocker]]
 
: Part of Windows Vista that uses [[AES]] 128 or 256 bit encryption
 
  
; [[CGD]]
+
'''Security Registry'''
: Cryptographic Device Driver. Provides transparent full disk encryption for [[NetBSD]].
+
: Supports various [[ciphers]]: [[AES]] (128 bit blocksize and accepts 128, 192 or 256 bit keys), [[Blowfish]] (64 bit blocksize and accepts 128 bit keys) and [[3DES]] (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption).
+
: http://www.netbsd.org/docs/guide/en/chap-cgd.html
+
  
; [[Checkpoint Full Disk Encryption]]
+
*Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
: http://www.checkpoint.com/products/datasecurity/pc/
+
*Security\\Policy\\PolAdtEv
 +
*Security\\Policy\\Secrets
  
; [[dm-crypt]]
+
'''NTUSER Registry'''
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the Linux 2.6 device mapper. Supports various [[ciphers]] and [[Linux Unified Key Setup (LUKS)]].
+
*NTUSER\\Control Panel\\Desktop
: http://www.saout.de/misc/dm-crypt/
+
*NTUSER\\Control Panel\\don\
: http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf
+
*NTUSER\\Environment
 
+
*NTUSER\\Network
; [[FreeOTFE]]
+
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
: Transparent on the fly encryption for [[Windows|MS Windows]] and [[Microsoft Windows Mobile|Windows Mobile]] PDAs. Also supports mounting [[Linux]] [[dm-crypt]] and [[Linux Unified Key Setup (LUKS)|LUKS]] volumes
+
*NTUSER\\Software
: http://www.FreeOTFE.org/
+
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
 
+
*NTUSER\\Software\\Ahead
; [[GBDE]]
+
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
: [[GEOM]] Based Disk Encryption. Provides transparent full disk and swap encryption for [[FreeBSD]]. Supported  [[ciphers]]: [[AES]] (128 bit).
+
*NTUSER\\Software\\Ares
: Supports hidden volumes and Pre-Boot Authentification.
+
*NTUSER\\Software\\bindshell.net\\Odysseus
: Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE.
+
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
: http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+6.2-RELEASE&format=html
+
*NTUSER\\Software\\Cain\\Settings
: http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf
+
*NTUSER\\Software\\DECAFme
 
+
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
; [[GELI]]
+
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
: Cryptographic [[GEOM]] class. Provides transparent full disk encryption for [[FreeBSD]]. Supports various [[ciphers]]: [[AES]], [[Blowfish]] and [[3DES]].
+
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
: Supports hidden volumes and Pre-Boot Authentification.
+
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
: http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8
+
*NTUSER\\Software\\Microsoft
 
+
*NTUSER\\Software\\Microsoft\\Command Processor
; Jetico BestCrypt
+
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
: http://www.jetico.com/
+
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
 
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
; [[loop-AES]]
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
: Transparent [[file system]] and [[swap]] encryption for [[Linux]] using the loopback device and [[AES]].
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
: http://sourceforge.net/projects/loop-aes/
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
 
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
; [[PGPDisk]]
+
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
: Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for [[Windows]]. Also supports [[MacOS]] X 10.4 (non-boot disks only).
+
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
: Can use OpenPGP RFC 2440 keys and X.509 keys for authentification.
+
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
: Supports USB Tokens for authentification.
+
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
: Supported [[ciphers]]: [[AES]] (256 bit keys).
+
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
: http://www.pgp.com/products/wholediskencryption/
+
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
 
+
*NTUSER\\Software\\Microsoft\\PIMSRV
; [[SafeGuard Easy]]
+
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
: Certified according to [[Common Criteria]] EAL3 and FIPS 140-2
+
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
: Encryption algorithms supported: [[AES]] (128 and 256 bit) and [[IDEA]] (128 bit)
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
: Provides complete [[hard drive]] encryption including the boot disk.
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
: http://www.utimaco.us/products
+
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
 
+
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
; [[SECUDE]]
+
*NTUSER\\Software\\Microsoft\\Windows Live Mail
: [[SECUDE]] provides a software and hardware solution for full disk encryption.
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
: http://www.secude.com
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
 
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
; Securstar DriveCrypt
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
: http://www.securstar.com/products_drivecryptpp.php
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
 
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
; [[TrueCrypt]]
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
: Transparent full disk encryption for [[Linux]] and [[Windows]]. Supports [[AES]] (256 bit), [[Serpent]] and [[Twofish]].
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
: Supports hidden volumes within TrueCrypt volumes (plausible deniability).
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
: http://www.truecrypt.org/
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
 
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
; [[DiskCryptor]]
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
: Free solution provided under GNU General Public License.
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
: http://diskcryptor.net/index.php/DiskCryptor_en
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
 
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
; [[vnconfig]]
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
: The -K option of [[OpenBSD]] vnconfig(8) associates and encryption key with the svnd device. Supports saltfiles. Supported [[ciphers]]: [[Blowfish]].
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
: http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
 
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
==Exernal Links==
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
[http://www.thinkwiki.org/wiki/Full_Disk_Encryption_(FDE) Wiki page for FDE on Thinkpads]
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
 
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
[[Category:Encryption]]
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
[[Category:Anti-Forensics]]
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
[[Category:Disk encryption]]
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
 +
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
 +
*NTUSER\\Software\\Nico Mak Computing\\WinZip
 +
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
 +
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
 +
*NTUSER\\Software\\Piriform\\CCleaner
 +
*NTUSER\\Software\\Privoxy
 +
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
 +
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
 +
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
 +
*NTUSER\\Software\\Skype
 +
*NTUSER\\Software\\SmartLine Vision\\aports
 +
*NTUSER\\Software\\SysInternals
 +
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
 +
*NTUSER\\Software\\VMware
 +
*NTUSER\\Software\\WinRAR\\ArcHistory

Revision as of 15:35, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\\SAM\\Domains\\Account\\Users
  • SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

  • Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
  • Security\\Policy\\PolAdtEv
  • Security\\Policy\\Secrets

NTUSER Registry

  • NTUSER\\Control Panel\\Desktop
  • NTUSER\\Control Panel\\don\
  • NTUSER\\Environment
  • NTUSER\\Network
  • NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
  • NTUSER\\Software
  • NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
  • NTUSER\\Software\\Ahead
  • NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
  • NTUSER\\Software\\Ares
  • NTUSER\\Software\\bindshell.net\\Odysseus
  • NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
  • NTUSER\\Software\\Cain\\Settings
  • NTUSER\\Software\\DECAFme
  • NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
  • NTUSER\\Software\\Google\\NavClient\\1.1\\History
  • NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
  • NTUSER\\Software\\JavaSoft\\Prefs\\haven
  • NTUSER\\Software\\Microsoft
  • NTUSER\\Software\\Microsoft\\Command Processor
  • NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
  • NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
  • NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
  • NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
  • NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
  • NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
  • NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
  • NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
  • NTUSER\\Software\\Microsoft\\PIMSRV
  • NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
  • NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
  • NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
  • NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
  • NTUSER\\Software\\Microsoft\\User Location Service\\Client
  • NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
  • NTUSER\\Software\\Microsoft\\Windows Live Mail
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
  • NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
  • NTUSER\\Software\\Nico Mak Computing\\WinZip
  • NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
  • NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
  • NTUSER\\Software\\Piriform\\CCleaner
  • NTUSER\\Software\\Privoxy
  • NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
  • NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
  • NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
  • NTUSER\\Software\\Skype
  • NTUSER\\Software\\SmartLine Vision\\aports
  • NTUSER\\Software\\SysInternals
  • NTUSER\\Software\\Sysinternals\\RootkitRevealer
  • NTUSER\\Software\\VMware
  • NTUSER\\Software\\WinRAR\\ArcHistory