Difference between revisions of "Windows Registry"

From Forensics Wiki
Jump to: navigation, search
m (Replaced defunct link, which points to a link-farm, with link to RegRipper's author's blog that explains the utility's use. ~~~~)
(Open Source)
Line 25: Line 25:
 
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
 
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
 
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
 
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
 +
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by Andrew Case
 +
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by Andrew Case
  
 
===Freeware===
 
===Freeware===

Revision as of 06:25, 11 September 2011

Contents

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

Freeware

Commercial

Bibliography

See Also