Difference between revisions of "Windows Registry"

From Forensics Wiki
Jump to: navigation, search
(Open Source)
m (adding Forensic Registry EDitor (fred))
Line 20: Line 20:
 
==Tools==
 
==Tools==
 
===Open Source===
 
===Open Source===
 +
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
 
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
 
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
 
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
 
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.

Revision as of 18:52, 4 April 2012

Contents

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

Freeware

Commercial

Bibliography

See Also