Difference between revisions of "Windows Registry"
From Forensics Wiki
Joachim Metz (Talk | contribs) (→Open Source) |
Joachim Metz (Talk | contribs) |
||
| (One intermediate revision by one user not shown) | |||
| Line 7: | Line 7: | ||
Basically the following Registry hives are stored in the corresponding files: | Basically the following Registry hives are stored in the corresponding files: | ||
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT | * HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT | ||
| − | * HKEY_USERS | + | * HKEY_USERS\DEFAULT: C:\Windows\system32\config\default |
| − | * HKEY_LOCAL_MACHINE | + | * HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM |
| − | * HKEY_LOCAL_MACHINE | + | * HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY |
| − | * HKEY_LOCAL_MACHINE | + | * HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software |
| − | * HKEY_LOCAL_MACHINE | + | * HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system |
===Windows 98/ME=== | ===Windows 98/ME=== | ||
| Line 17: | Line 17: | ||
* \Windows\system.dat | * \Windows\system.dat | ||
* \Windows\profiles\user profile\user.dat | * \Windows\profiles\user profile\user.dat | ||
| + | |||
| + | == Keys == | ||
| + | |||
| + | === Run/RunOnce === | ||
| + | System-wide: | ||
| + | <pre> | ||
| + | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ||
| + | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | ||
| + | </pre> | ||
| + | |||
| + | Per user: | ||
| + | <pre> | ||
| + | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ||
| + | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | ||
| + | </pre> | ||
| + | |||
| + | == Special cases == | ||
| + | The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for: | ||
| + | * special characters key and value names | ||
| + | * duplicate key and value names | ||
| + | * the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings | ||
| + | |||
| + | === special characters key and value names === | ||
| + | Both key and values names are case insensitive. The \ character is used as the key separator. Note | ||
| + | that the \ character can be used in value names. The / character is used in both key and value names. | ||
| + | Some examples of which are: | ||
| + | <pre> | ||
| + | Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\ | ||
| + | Value: Size/Small/Medium/Large | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\ | ||
| + | Value: \Device\Video0 | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | Key: | ||
| + | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\ | ||
| + | Value: SchemaFile | ||
| + | </pre> | ||
==Tools== | ==Tools== | ||
Revision as of 02:51, 25 June 2012
Contents |
File Locations
The Windows Registry is stored in multiple files.
Windows NT 4
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.
Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
Windows 98/ME
- \Windows\user.dat
- \Windows\system.dat
- \Windows\profiles\user profile\user.dat
Keys
Run/RunOnce
System-wide:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Per user:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Special cases
The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:
- special characters key and value names
- duplicate key and value names
- the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
special characters key and value names
Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\ Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\ Value: \Device\Video0
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\ Value: SchemaFile
Tools
Open Source
- Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
- libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
- reglookup — "small command line utility for reading and querying Windows NT-based registries."
- regviewer — a tool for looking at the registry.
- RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
- Parse::Win32Registry Perl module.
- python-registry Python module.
- Registry Decoder offline analysis component, by Andrew Case
- RegDecoderLive live hive acquisition component, by Andrew Case
- libregf - Library and tools to access the Windows NT Registry File (REGF) format
Freeware
- Yet Another Registry Utility (yaru) Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
- Windows ShellBag Parser Free tool that can be run on Windows, Linux or Mac OS-X.
- cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
Commercial
- Abexo Free Regisry Cleaner
- Auslogics Registry Defrag
- Alien Registry Viewer
- NT Registry Optimizer
- iExpert Software-Free Registry Defrag
- Registry Undelete (russian)
- Windows Registry Recovery
- Registry Tool
Bibliography
- Using ShellBag Information to Reconstruct User Activities., Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
- Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [paper] [slides]
- Registry Examination, by Paul Davies
- Forensic Analysis of the Windows Registry in Memory, Brendan Dolan-Gavitt, DFRWS 2008 [slides]
- Forensic Analysis of the Windows Registry, Peter Davies, Computer Forensics: Coursework 2 (student paper)
- A Windows Registry Quick-Reference, Derrick Farmer, Burlington, VT.
- The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
- Forensic Analysis of the Windows Registry, Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
- The Windows NT Registry File Format, Timothy D. Morgan
See Also
- Windows Incident Response Articles on Registry
- Windows Registry Information
- Wikipedia Article on Windows Registry
- Push the Red Button — Articles on Registry
- Windows Forensics Mailing List
- kregedit - a KDE utility for viewing and editing registry files.
- ntreg a file system driver for linux, which understands the NT registry file format.
- Security Accounts Manager
- http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
