Difference between revisions of "Windows Registry"
From ForensicsWiki
m (→Bibliography) |
Joachim Metz (Talk | contribs) |
||
| (41 intermediate revisions by 11 users not shown) | |||
| Line 1: | Line 1: | ||
| − | == | + | ==File Locations== |
| − | + | The Windows Registry is stored in multiple files. | |
| − | + | ||
| − | + | ===Windows NT 4 === | |
| − | + | In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format. | |
| − | + | ||
| − | * | + | Basically the following Registry hives are stored in the corresponding files: |
| + | * HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT | ||
| + | * HKEY_USERS\DEFAULT: C:\Windows\system32\config\default | ||
| + | * HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM | ||
| + | * HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY | ||
| + | * HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software | ||
| + | * HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system | ||
| − | + | ===Windows 98/ME=== | |
| + | * \Windows\user.dat | ||
| + | * \Windows\system.dat | ||
| + | * \Windows\profiles\user profile\user.dat | ||
| − | * | + | == Keys == |
| + | |||
| + | === Run/RunOnce === | ||
| + | System-wide: | ||
| + | <pre> | ||
| + | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ||
| + | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | ||
| + | </pre> | ||
| + | |||
| + | Per user: | ||
| + | <pre> | ||
| + | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ||
| + | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | ||
| + | </pre> | ||
| + | |||
| + | == Special cases == | ||
| + | The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for: | ||
| + | * special characters key and value names | ||
| + | * duplicate key and value names | ||
| + | * the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings | ||
| + | |||
| + | === special characters key and value names === | ||
| + | Both key and values names are case insensitive. The \ character is used as the key separator. Note | ||
| + | that the \ character can be used in value names. The / character is used in both key and value names. | ||
| + | Some examples of which are: | ||
| + | <pre> | ||
| + | Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\ | ||
| + | Value: Size/Small/Medium/Large | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\ | ||
| + | Value: \Device\Video0 | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | Key: | ||
| + | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\ | ||
| + | Value: SchemaFile | ||
| + | </pre> | ||
| + | |||
| + | === codepaged ASCII strings === | ||
| + | |||
| + | Value with name "ëigenaardig" created on Windows XP codepage 1252. | ||
| + | |||
| + | <pre> | ||
| + | value key data: | ||
| + | 00000000: 76 6b 0b 00 46 00 00 00 20 98 1a 00 01 00 00 00 vk..F... ....... | ||
| + | 00000010: 01 00 69 6e eb 69 67 65 6e 61 61 72 64 69 67 00 ..in.ige naardig. | ||
| + | 00000020: 55 4e 49 43 UNIC | ||
| + | |||
| + | value key signature : vk | ||
| + | value key value name size : 11 | ||
| + | value key data size : 0x00000046 (70) | ||
| + | value key data offset : 0x001a9820 | ||
| + | value key data type : 1 (REG_SZ) String | ||
| + | value key flags : 0x0001 | ||
| + | Value name is an ASCII string | ||
| + | |||
| + | value key unknown1 : 0x6e69 (28265) | ||
| + | value key value name : ëigenaardig | ||
| + | value key value name hash : 0xb78835ee | ||
| + | value key padding: | ||
| + | 00000000: 00 55 4e 49 43 .UNIC | ||
| + | </pre> | ||
| + | |||
| + | As you can see the name is stored in extended ASCII (ANSI) using codepage 1252. | ||
==Tools== | ==Tools== | ||
===Open Source=== | ===Open Source=== | ||
| − | * [http://sourceforge.net/projects/regviewer/ regviewer] | + | * [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by [[Daniel Gillen]] |
| − | * [ | + | * [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool |
| + | * [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries." | ||
| + | * [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry. | ||
| + | * [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations." | ||
| + | * [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module. | ||
| + | * [http://www.williballenthin.com/registry/index.html python-registry] Python module. | ||
| + | * [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by [[Andrew Case]] | ||
| + | * [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by [[Andrew Case]] | ||
| + | * [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format | ||
| + | * [[Registryasxml]] - Tool to import/export registry sections as XML | ||
| + | * [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files. | ||
| + | * [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format. | ||
| + | |||
| + | ===Freeware=== | ||
| + | * [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system. | ||
| + | |||
| + | * [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X. | ||
| + | |||
| + | * [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives. | ||
| + | |||
===Commercial=== | ===Commercial=== | ||
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner] | * [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner] | ||
| Line 23: | Line 115: | ||
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer] | * [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer] | ||
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag] | * [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag] | ||
| + | * [http://arsenalrecon.com/apps Registry Recon] | ||
* [http://paullee.ru/regundel Registry Undelete (russian)] | * [http://paullee.ru/regundel Registry Undelete (russian)] | ||
* [http://mitec.cz/wrr.html Windows Registry Recovery] | * [http://mitec.cz/wrr.html Windows Registry Recovery] | ||
| + | * [http://registrytool.com/ Registry Tool] | ||
| + | |||
| + | ==Bibliography== | ||
| + | * [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009 | ||
| + | * [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008 | ||
| + | * [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008 | ||
| + | * [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], by Derrick Farmer, Burlington, VT. | ||
| + | |||
| + | * [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205. | ||
| + | |||
| + | * [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University | ||
| + | |||
| + | * [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]] | ||
==See Also== | ==See Also== | ||
| + | * [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry] | ||
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry] | * [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry] | ||
* [http://www.answers.com/topic/win-registry Windows Registry Information] | * [http://www.answers.com/topic/win-registry Windows Registry Information] | ||
| − | * [http:// | + | * [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry |
| + | * [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager] | ||
| + | |||
| + | === Windows 32-bit on Windows 64-bit (WoW64) === | ||
| + | * [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]] | ||
| + | * [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]] | ||
| + | |||
| + | [[Category:Windows Analysis]] | ||
[[Category:Bibliographies]] | [[Category:Bibliographies]] | ||
| − | |||
Revision as of 02:27, 29 April 2013
Contents
File Locations
The Windows Registry is stored in multiple files.
Windows NT 4
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.
Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
Windows 98/ME
- \Windows\user.dat
- \Windows\system.dat
- \Windows\profiles\user profile\user.dat
Keys
Run/RunOnce
System-wide:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Per user:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Special cases
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
- special characters key and value names
- duplicate key and value names
- the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
special characters key and value names
Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\ Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\ Value: \Device\Video0
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\ Value: SchemaFile
codepaged ASCII strings
Value with name "ëigenaardig" created on Windows XP codepage 1252.
value key data:
00000000: 76 6b 0b 00 46 00 00 00 20 98 1a 00 01 00 00 00 vk..F... .......
00000010: 01 00 69 6e eb 69 67 65 6e 61 61 72 64 69 67 00 ..in.ige naardig.
00000020: 55 4e 49 43 UNIC
value key signature : vk
value key value name size : 11
value key data size : 0x00000046 (70)
value key data offset : 0x001a9820
value key data type : 1 (REG_SZ) String
value key flags : 0x0001
Value name is an ASCII string
value key unknown1 : 0x6e69 (28265)
value key value name : ëigenaardig
value key value name hash : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43 .UNIC
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
Tools
Open Source
- Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
- libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
- reglookup — "small command line utility for reading and querying Windows NT-based registries."
- regviewer — a tool for looking at the registry.
- RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
- Parse::Win32Registry Perl module.
- python-registry Python module.
- Registry Decoder offline analysis component, by Andrew Case
- RegDecoderLive live hive acquisition component, by Andrew Case
- libregf - Library and tools to access the Windows NT Registry File (REGF) format
- Registryasxml - Tool to import/export registry sections as XML
- kregedit - a KDE utility for viewing and editing registry files.
- ntreg a file system driver for linux, which understands the NT registry file format.
Freeware
- Yet Another Registry Utility (yaru) Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
- Windows ShellBag Parser Free tool that can be run on Windows, Linux or Mac OS-X.
- cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
Commercial
- Abexo Free Regisry Cleaner
- Auslogics Registry Defrag
- Alien Registry Viewer
- NT Registry Optimizer
- iExpert Software-Free Registry Defrag
- Registry Recon
- Registry Undelete (russian)
- Windows Registry Recovery
- Registry Tool
Bibliography
- Using ShellBag Information to Reconstruct User Activities, by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
- Recovering Deleted Data From the Windows Registry and slides, by Timothy Morgan, DFRWS 2008
- Forensic Analysis of the Windows Registry in Memory and slides, by Brendan Dolan-Gavitt, DFRWS 2008
- A Windows Registry Quick-Reference, by Derrick Farmer, Burlington, VT.
- The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
- Forensic Analysis of the Windows Registry, by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
See Also
- Wikipedia: Windows Registry
- Windows Incident Response Articles on Registry
- Windows Registry Information
- Push the Red Button — Articles on Registry
- Security Accounts Manager
