Difference between revisions of "Windows Registry"

From Forensics Wiki
Jump to: navigation, search
m (See Also)
m (See Also)
Line 51: Line 51:
 
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
 
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
* http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.  
+
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.  
 
* [http://sourceforge.net/projects/regviewer/ RegViewer] - a program for viewing NT Registry files.
 
* [http://sourceforge.net/projects/regviewer/ RegViewer] - a program for viewing NT Registry files.
 
* [http://projects.sentinelchicken.org/reglookup/ RegLookup]
 
* [http://projects.sentinelchicken.org/reglookup/ RegLookup]

Revision as of 05:05, 27 December 2009

Contents

Bibliography

File Locations

Windows XP

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."

Commercial

See Also