Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
(Freeware)
(Freeware)
Line 34: Line 34:
 
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
 
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
  
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae'' - Computer Account Forensic Artifact Extractor] Free tool that can be run on Windows, Linux or Mac OS-X.
+
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact ExtractorFree tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
  
 
===Commercial===
 
===Commercial===

Revision as of 18:31, 1 June 2012

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

Freeware

  • cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.

Commercial

Bibliography

See Also