Difference between revisions of "Windows 7"

From ForensicsWiki
Jump to: navigation, search
(Known Registry keys of forensic interest)
(Known Registry keys of forensic interest)
Line 19: Line 19:
 
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
 
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
  
== Known Registry keys of forensic interest ==
+
=== Known Registry keys of forensic interest ===
  
'''SAM Registry'''
+
====SAM Registry====
 +
*SAM\SAM\Domains\Account\Users
 +
*SAM\Domains\Builtin\Aliases
  
*SAM\\SAM\\Domains\\Account\\Users
 
*SAM\\Domains\\Builtin\\Aliases
 
  
 +
====Security Registry====
  
'''Security Registry'''
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
 +
*Security\Policy\PolAdtEv
 +
*Security\Policy\Secrets
  
*Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
====NTUSER Registry====
*Security\\Policy\\PolAdtEv
+
*NTUSER\Control Panel\Desktop
*Security\\Policy\\Secrets
+
*NTUSER\Control Panel\don\
 
+
*NTUSER\Environment
'''NTUSER Registry'''
+
*NTUSER\Network
*NTUSER\\Control Panel\\Desktop
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
*NTUSER\\Control Panel\\don\
+
*NTUSER\Software
*NTUSER\\Environment
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
*NTUSER\\Network
+
*NTUSER\Software\Ahead
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
*NTUSER\\Software
+
*NTUSER\Software\Ares
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
*NTUSER\Software\bindshell.net\Odysseus
*NTUSER\\Software\\Ahead
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
*NTUSER\Software\Cain\Settings
*NTUSER\\Software\\Ares
+
*NTUSER\Software\DECAFme
*NTUSER\\Software\\bindshell.net\\Odysseus
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
*NTUSER\Software\Google\NavClient\1.1\History
*NTUSER\\Software\\Cain\\Settings
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
*NTUSER\\Software\\DECAFme
+
*NTUSER\Software\JavaSoft\Prefs\haven
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
*NTUSER\Software\Microsoft
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
*NTUSER\Software\Microsoft\Command Processor
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
*NTUSER\\Software\\Microsoft
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
*NTUSER\\Software\\Microsoft\\Command Processor
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
*NTUSER\Software\Microsoft\PIMSRV
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
*NTUSER\\Software\\Microsoft\\PIMSRV
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
*NTUSER\Software\Microsoft\User Location Service\Client
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\Software\Microsoft\Windows Live Mail
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
*NTUSER\\Software\\Microsoft\\Windows Live Mail
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
*NTUSER\Software\Nico Mak Computing\WinZip
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
*NTUSER\Software\Piriform\CCleaner
*NTUSER\\Software\\Nico Mak Computing\\WinZip
+
*NTUSER\Software\Privoxy
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\Software\RealVNC\VNCViewer4\MRU
*NTUSER\\Software\\Piriform\\CCleaner
+
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
*NTUSER\\Software\\Privoxy
+
*NTUSER\Software\Skype
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
*NTUSER\Software\SmartLine Vision\aports
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\Software\SysInternals
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
*NTUSER\Software\Sysinternals\RootkitRevealer
*NTUSER\\Software\\Skype
+
*NTUSER\Software\VMware
*NTUSER\\Software\\SmartLine Vision\\aports
+
*NTUSER\Software\WinRAR\ArcHistory
*NTUSER\\Software\\SysInternals
+
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
*NTUSER\\Software\\VMware
+
*NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 15:38, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory