Difference between revisions of "Windows Registry"

Revision as of 18:52, 4 April 2012

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

• HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
• HKEY_USERS/DEFAULT: \Windows\system32\config\default
• HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
• HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
• HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
• HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

• \Windows\user.dat
• \Windows\system.dat
• \Windows\profiles\user profile\user.dat

Tools

Open Source

• Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
• reglookup — "small command line utility for reading and querying Windows NT-based registries."
• regviewer — a tool for looking at the registry.
• RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
• Parse::Win32Registry Perl module.
• python-registry Python module.
• Registry Decoder offline analysis component, by Andrew Case
• RegDecoderLive live hive acquisition component, by Andrew Case

Freeware

• Yet Another Registry Utility (yaru) Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.

• Windows ShellBag Parser Free tool that can be run on Windows, Linux or Mac OS-X.

Commercial

• Abexo Free Regisry Cleaner
• Auslogics Registry Defrag
• Alien Registry Viewer
• NT Registry Optimizer
• iExpert Software-Free Registry Defrag
• Registry Undelete (russian)
• Windows Registry Recovery
• Registry Tool

Bibliography

• Using ShellBag Information to Reconstruct User Activities., Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
• Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [paper] [slides]
• Registry Examination, by Paul Davies

• Forensic Analysis of the Windows Registry in Memory, Brendan Dolan-Gavitt, DFRWS 2008 [slides]
• Forensic Analysis of the Windows Registry, Peter Davies, Computer Forensics: Coursework 2 (student paper)
• A Windows Registry Quick-Reference, Derrick Farmer, Burlington, VT.

• The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.

• Forensic Analysis of the Windows Registry, Lih Wern Wong , School of Computer and Information Science, Edith Cowan University

• The Windows NT Registry File Format, Timothy D. Morgan

See Also

• Windows Incident Response Articles on Registry
• Windows Registry Information
• Wikipedia Article on Windows Registry
• Push the Red Button — Articles on Registry
• Windows Forensics Mailing List
• kregedit - a KDE utility for viewing and editing registry files.
• ntreg a file system driver for linux, which understands the NT registry file format.
• Security Accounts Manager

• http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.