Difference between pages "Memory analysis" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
+
== New Features ==
 +
* [[BitLocker Disk Encryption | BitLocker To Go]]
 +
* [[Jump Lists]]
 +
* [[Sticky Notes]]
  
* [[Windows Memory Analysis]]
+
== File System ==
* [[Linux Memory Analysis]]
+
The file system used by Windows 7 is primarily [[NTFS]].
  
== OS-Independent Analysis ==
+
== SSD ==
 +
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
  
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<blockquote>
 +
Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.
 +
</blockquote>
  
== Encryption Keys ==
+
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
  
Various types of encryption keys can be extracted during memory analysis.
+
== [[Prefetch]] ==
* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
+
The prefetch hash function is similar to [[Windows 2008]].
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases
+
  
== See Also ==  
+
== Registry ==  
 +
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows 7 operating system.
  
* [[Memory Imaging]]
+
=== Known Registry keys of forensic interest ===
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
+
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
+
  
== External Links ==
+
====SAM Registry====
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, © 2013
+
*SAM\SAM\Domains\Account\Users
* [http://cryptome.org/0003/RAMisKey.pdf RAM is Key - Extracting Disk Encryption Keys From Volatile Memory], by [[Brian Kaplan]], May 2007
+
*SAM\SAM\Domains\Builtin\Aliases
  
=== Computer architecture ===
 
* [http://en.wikipedia.org/wiki/64-bit_computing Wikipedia: 64-bit computing]
 
* [http://www.unix.org/version2/whatsnew/lp64_wp.html 64-Bit Programming Models: Why LP64?], The Open Group, 1997
 
  
=== [http://volatility-labs.blogspot.com/ Volatility Labs] ===
+
====Security Registry====
* [http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html MoVP 1.1 Logon Sessions, Processes, and Images]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html MoVP 1.2 Window Stations and Clipboard Malware]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html MoVP 1.3 Desktops, Heaps, and Ransomware]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html MoVP 2.5: Investigating In-Memory Network Data with Volatility]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem]
+
* [http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html HowTo: Scan for Internet Cache/History and URLs]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html MoVP 3.4: Recovering tagCLIPDATA: What's In Your Clipboard?]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html MoVP 3.5: Analyzing the 2008 DFRWS Challenge with Volatility]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-gdi.html MoVP 4.1 Detecting Malware with GDI Timers and Callbacks]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from-memory.html MoVP 4.2 Taking Screenshots from Memory Dumps]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-records.html MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-around.html MoVP 4.4 Cache Rules Everything Around Me(mory)]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html OMFW 2012: Malware In the Windows GUI Subsystem]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html OMFW 2012: Reconstructing the MBR and MFT from Memory]
+
* [http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit]
+
* [http://volatility-labs.blogspot.ca/2012/10/solving-grrcon-network-forensics.html Solving the GrrCon Network Forensics Challenge with Volatility]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analyzing-linux-kernel.html OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-datalore-android-memory.html OMFW 2012: Datalore: Android Memory Analysis]
+
* [http://volatility-labs.blogspot.ca/2012/10/movp-for-volatility-22-and-omfw-2012.html MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up]
+
* [http://volatility-labs.blogspot.ca/2012/10/reverse-engineering-poison-ivys.html Reverse Engineering Poison Ivy's Injected Code Fragments]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analysis-of-process-token.html OMFW 2012: The Analysis of Process Token Privileges]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-mining-pfn-database-for.html OMFW 2012: Mining the PFN Database for Malware Artifacts]
+
  
=== Volatility Videos ===
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
* [http://sketchymoose.blogspot.com/2011/10/set-up-to-more-memory-forensics.html Set Up to More Memory Forensics!], October 2011
+
*Security\Policy\PolAdtEv
* [http://www.youtube.com/watch?v=8HsZLge0wWc Using Volatility: Suspicious Process (1/2)]
+
*Security\Policy\Secrets
* [http://www.youtube.com/watch?v=XTZPNk-Esok Using Volatility: Suspicious Process (Part 2/2)]
+
  
=== WinDBG ===
+
====NTUSER Registry====
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html Getting Started with WinDBG - Part 1], by Brad Antoniewicz, December 17, 2013
+
*NTUSER\Control Panel\Desktop
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html Getting Started with WinDBG - Part 2], by Brad Antoniewicz, December 24, 2013
+
*NTUSER\Control Panel\don\
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html Getting Started with WinDBG - Part 3], by Brad Antoniewicz, December 31, 2013
+
*NTUSER\Environment
 +
*NTUSER\Network
 +
*NTUSER\Printers\Settings\Wizard\ConnectMRU
 +
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
 +
*NTUSER\Software\Ahead
 +
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
 +
*NTUSER\Software\Ares
 +
*NTUSER\Software\bindshell.net\Odysseus
 +
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
 +
*NTUSER\Software\Cain\Settings
 +
*NTUSER\Software\DECAFme
 +
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
 +
*NTUSER\Software\Google\NavClient\1.1\History
 +
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
 +
*NTUSER\Software\JavaSoft\Prefs\haven
 +
*NTUSER\Software\Microsoft
 +
*NTUSER\Software\Microsoft\Command Processor
 +
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
 +
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
 +
*NTUSER\Software\Microsoft\Internet Explorer\Main
 +
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
 +
*NTUSER\Software\Microsoft\Internet Explorer\Settings
 +
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
 +
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
 +
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
 +
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
 +
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
 +
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
 +
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
 +
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
 +
*NTUSER\Software\Microsoft\PIMSRV
 +
*NTUSER\Software\Microsoft\Search Assistant\ACMru
 +
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
 +
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\User Location Service\Client
 +
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
 +
*NTUSER\Software\Microsoft\Windows Live Mail
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
 +
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
 +
*NTUSER\Software\Nico Mak Computing\WinZip
 +
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
 +
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\Piriform\CCleaner
 +
*NTUSER\Software\Privoxy
 +
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
 +
*NTUSER\Software\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
 +
*NTUSER\Software\Skype
 +
*NTUSER\Software\SmartLine Vision\aports
 +
*NTUSER\Software\SysInternals
 +
*NTUSER\Software\Sysinternals\RootkitRevealer
 +
*NTUSER\Software\VMware
 +
*NTUSER\Software\WinRAR\ArcHistory
 +
 
 +
== See Also ==
 +
* [[Windows]]
 +
* [[Windows Vista]]
 +
* [[Windows 8]]
 +
 
 +
== External Links ==
 +
* [http://dfstream.blogspot.ch/2014/01/the-windows-7-event-log-and-usb-device.html The Windows 7 Event Log and USB Device Tracking], by [[Jason Hale]], January 2, 2014
  
[[Category:Memory Analysis]]
+
[[Category:Operating systems]]

Latest revision as of 12:28, 3 January 2014

New Features

File System

The file system used by Windows 7 is primarily NTFS.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states:

Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.

Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Prefetch

The prefetch hash function is similar to Windows 2008.

Registry

The Windows Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory

See Also

External Links