Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
m
(Added file locations)
Line 12: Line 12:
  
 
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
 
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
 +
 +
==File Locations==
 +
===Windows XP===
 +
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 +
* HKEY_USERS/DEFAULT: \Windows\system32\config\default
 +
* HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
 +
* HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
 +
* HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
 +
* HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system
 +
 +
===Windows 98/ME===
 +
* \Windows\user.dat
 +
* \Windows\system.dat
 +
* \Windows\profiles\user profile\user.dat
  
 
==Tools==
 
==Tools==

Revision as of 21:44, 4 January 2009

Bibliography

  • Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [paper] [slides]
  • [1]

File Locations

Windows XP

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."

Commercial

See Also