ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Windows 7"

From ForensicsWiki
Jump to: navigation, search
(Known Registry keys of forensic interest)
(NTUSER Registry)
(One intermediate revision by the same user not shown)
Line 19: Line 19:
 
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
 
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
  
== Known Registry keys of forensic interest ==
+
=== Known Registry keys of forensic interest ===
  
'''SAM Registry'''
+
====SAM Registry====
 +
*SAM\SAM\Domains\Account\Users
 +
*SAM\Domains\Builtin\Aliases
  
*SAM\\SAM\\Domains\\Account\\Users
 
*SAM\\Domains\\Builtin\\Aliases
 
  
 +
====Security Registry====
  
'''Security Registry'''
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
 +
*Security\Policy\PolAdtEv
 +
*Security\Policy\Secrets
  
*Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
====NTUSER Registry====
*Security\\Policy\\PolAdtEv
+
*NTUSER\Control Panel\Desktop
*Security\\Policy\\Secrets
+
*NTUSER\Control Panel\don\
 
+
*NTUSER\Environment
'''NTUSER Registry'''
+
*NTUSER\Network
*NTUSER\\Control Panel\\Desktop
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
*NTUSER\\Control Panel\\don\
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
*NTUSER\\Environment
+
*NTUSER\Software\Ahead
*NTUSER\\Network
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
*NTUSER\Software\Ares
*NTUSER\\Software
+
*NTUSER\Software\bindshell.net\Odysseus
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
*NTUSER\\Software\\Ahead
+
*NTUSER\Software\Cain\Settings
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
*NTUSER\Software\DECAFme
*NTUSER\\Software\\Ares
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
*NTUSER\\Software\\bindshell.net\\Odysseus
+
*NTUSER\Software\Google\NavClient\1.1\History
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
*NTUSER\\Software\\Cain\\Settings
+
*NTUSER\Software\JavaSoft\Prefs\haven
*NTUSER\\Software\\DECAFme
+
*NTUSER\Software\Microsoft
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
*NTUSER\Software\Microsoft\Command Processor
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
*NTUSER\\Software\\Microsoft
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
*NTUSER\\Software\\Microsoft\\Command Processor
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
*NTUSER\Software\Microsoft\PIMSRV
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
*NTUSER\\Software\\Microsoft\\PIMSRV
+
*NTUSER\Software\Microsoft\User Location Service\Client
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
*NTUSER\Software\Microsoft\Windows Live Mail
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
*NTUSER\\Software\\Microsoft\\Windows Live Mail
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
*NTUSER\Software\Nico Mak Computing\WinZip
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
*NTUSER\Software\Piriform\CCleaner
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
*NTUSER\Software\Privoxy
*NTUSER\\Software\\Nico Mak Computing\\WinZip
+
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
*NTUSER\Software\RealVNC\VNCViewer4\MRU
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
*NTUSER\\Software\\Piriform\\CCleaner
+
*NTUSER\Software\Skype
*NTUSER\\Software\\Privoxy
+
*NTUSER\Software\SmartLine Vision\aports
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
*NTUSER\Software\SysInternals
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\Software\Sysinternals\RootkitRevealer
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
*NTUSER\Software\VMware
*NTUSER\\Software\\Skype
+
*NTUSER\Software\WinRAR\ArcHistory
*NTUSER\\Software\\SmartLine Vision\\aports
+
*NTUSER\\Software\\SysInternals
+
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
*NTUSER\\Software\\VMware
+
*NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 19:39, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory