ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
(Windows XP)
Line 2: Line 2:
 
The Windows Registry is stored in multiple files.
 
The Windows Registry is stored in multiple files.
  
===Windows XP===
+
===Windows NT 4 ===
 +
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.
 +
 
 +
Basically the following Registry hives are stored in the corresponding files:
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 
* HKEY_USERS/DEFAULT: \Windows\system32\config\default
 
* HKEY_USERS/DEFAULT: \Windows\system32\config\default

Revision as of 06:50, 15 September 2010

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry perl module.

Commercial

Bibliography

See Also