Difference between revisions of "Windows Registry"

From Forensics Wiki
Jump to: navigation, search
(Open Source)
(One intermediate revision by one user not shown)
Line 7: Line 7:
 
Basically the following Registry hives are stored in the corresponding files:
 
Basically the following Registry hives are stored in the corresponding files:
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
* HKEY_USERS/DEFAULT: \Windows\system32\config\default
+
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
* HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
+
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
* HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
+
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
* HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
+
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
* HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system
+
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
  
 
===Windows 98/ME===
 
===Windows 98/ME===
Line 17: Line 17:
 
* \Windows\system.dat
 
* \Windows\system.dat
 
* \Windows\profiles\user profile\user.dat
 
* \Windows\profiles\user profile\user.dat
 +
 +
== Keys ==
 +
 +
=== Run/RunOnce ===
 +
System-wide:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 +
</pre>
 +
 +
Per user:
 +
<pre>
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 +
</pre>
 +
 +
== Special cases ==
 +
The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:
 +
* special characters key and value names
 +
* duplicate key and value names
 +
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
 +
 +
=== special characters key and value names ===
 +
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 +
that the \ character can be used in value names. The / character is used in both key and value names.
 +
Some examples of which are:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
 +
Value: Size/Small/Medium/Large
 +
</pre>
 +
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
 +
Value: \Device\Video0
 +
</pre>
 +
 +
<pre>
 +
Key:
 +
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
 +
Value: SchemaFile
 +
</pre>
  
 
==Tools==
 
==Tools==

Revision as of 02:51, 25 June 2012

Contents

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Keys

Run/RunOnce

System-wide:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Per user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

Tools

Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format

Freeware

  • cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.

Commercial

Bibliography

See Also