Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
m (Open Source)
(Windows XP)
Line 18: Line 18:
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 
* HKEY_USERS/DEFAULT: \Windows\system32\config\default
 
* HKEY_USERS/DEFAULT: \Windows\system32\config\default
* HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
+
* HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
 
* HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
 
* HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
 
* HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
 
* HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software

Revision as of 09:51, 14 September 2010

Bibliography

File Locations

Windows XP

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry perl module.

Commercial

See Also