Difference between revisions of "Windows Registry"

From Forensics Wiki
Jump to: navigation, search
(See Also)
(User Assist)
Line 146: Line 146:
  
 
=== User Assist ===
 
=== User Assist ===
* [http://windowsir.blogspot.ch/2007/09/more-on-userassist-keys.html More on (the) UserAssist keys], by [Harlan Carvey], Monday, September 03, 2007
+
* [http://windowsir.blogspot.ch/2007/09/more-on-userassist-keys.html More on (the) UserAssist keys], by [[Harlan Carvey]], Monday, September 03, 2007
 
* [http://forensicsfromthesausagefactory.blogspot.ch/2010/05/prefetch-and-user-assist.html Prefetch and User Assist], by DC174, Thursday, 27 May 2010
 
* [http://forensicsfromthesausagefactory.blogspot.ch/2010/05/prefetch-and-user-assist.html Prefetch and User Assist], by DC174, Thursday, 27 May 2010
 
* [http://forensicartifacts.com/2010/07/userassist/ Forensic Artifact: UserAssist]
 
* [http://forensicartifacts.com/2010/07/userassist/ Forensic Artifact: UserAssist]
 
* [http://sploited.blogspot.ch/2012/12/sans-forensic-artifact-6-userassist.html SANS Forensic Artifact 6: UserAssist], by Sploited, Thursday, 27 December 2012
 
* [http://sploited.blogspot.ch/2012/12/sans-forensic-artifact-6-userassist.html SANS Forensic Artifact 6: UserAssist], by Sploited, Thursday, 27 December 2012
 
* [http://www.4n6k.com/2013/05/userassist-forensics-timelines.html UserAssist Forensics (timelines, interpretation, testing, & more)], by Dan (@4n6k), Tuesday, May 14, 2013
 
* [http://www.4n6k.com/2013/05/userassist-forensics-timelines.html UserAssist Forensics (timelines, interpretation, testing, & more)], by Dan (@4n6k), Tuesday, May 14, 2013
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-45-understanding-artifacts.html Daily Blog #45: Understanding the artifacts: User Assist], by [David Cowen], Wednesday, August 7, 2013
+
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-45-understanding-artifacts.html Daily Blog #45: Understanding the artifacts: User Assist], by [[David Cowen]], Wednesday, August 7, 2013
  
 
[[Category:Windows Analysis]]
 
[[Category:Windows Analysis]]
 
[[Category:Bibliographies]]
 
[[Category:Bibliographies]]

Revision as of 12:06, 7 August 2013

Contents

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Keys

Run/RunOnce

System-wide:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Per user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Tools

Open Source

Freeware

  • cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.

Commercial

Bibliography

Undated

See Also

Windows 32-bit on Windows 64-bit (WoW64)

User Assist