ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
(Service Control Manager)
 
(52 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
== Terminology ==
 +
 +
=== Hive ===
 +
According to [https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx]
 +
<pre>
 +
A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.
 +
</pre>
 +
 +
However in common usage the term hive often does not imply the supporting files.
 +
 +
According to [http://blogs.msdn.com/b/oldnewthing/archive/2003/08/08/54618.aspx] the origin of the term is bee hives.
 +
 
==File Locations==
 
==File Locations==
 
The Windows Registry is stored in multiple files.
 
The Windows Registry is stored in multiple files.
Line 13: Line 25:
 
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
 
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
  
===Windows 98/ME===
+
===Windows 9x/ME===
 +
In Windows 95, 98, Me the Registry is stored in the [[Windows 9x Registry File (CREG)]] format.
 +
 
 
* \Windows\user.dat
 
* \Windows\user.dat
 
* \Windows\system.dat
 
* \Windows\system.dat
 
* \Windows\profiles\user profile\user.dat
 
* \Windows\profiles\user profile\user.dat
 
== Keys ==
 
 
=== Run/RunOnce ===
 
System-wide:
 
<pre>
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
 
Per user:
 
<pre>
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
  
 
== Special cases ==
 
== Special cases ==
 
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
 
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
* special characters key and value names
+
* special characters in key and value names
 
* duplicate key and value names
 
* duplicate key and value names
 
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
 
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
 +
* unreconciled data
  
=== special characters key and value names ===
+
=== Special characters in key and value names ===
 
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 
that the \ character can be used in value names. The / character is used in both key and value names.
 
that the \ character can be used in value names. The / character is used in both key and value names.
Line 59: Line 59:
 
</pre>
 
</pre>
  
=== codepaged ASCII strings ===
+
Also, null bytes may be present in key values in order to hide data [http://binaryforay.blogspot.com/2016/01/registry-values-starting-with-null.html].
 +
 
 +
=== Codepaged ASCII strings ===
  
 
Value with name "ëigenaardig" created on Windows XP codepage 1252.
 
Value with name "ëigenaardig" created on Windows XP codepage 1252.
Line 85: Line 87:
  
 
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
 
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
 +
 +
=== Unreconciled data ===
 +
 +
Starting from Windows 8.1 and Windows Server 2012 R2, a new implementation of the hive flusher was introduced in kernel. This implementation attempts to radically reduce the number of disk writes on a mounted hive: in particular, a flush operation on a hive will store modified (dirty) data in a transaction log file, but hive bins in a primary file (also known as a normal or data file) will be intact. A kernel will sync a primary file after one of the following conditions has occurred:
 +
* an hour has elapsed since the latest write to a primary file;
 +
* a power management subsystem reports that all users (local and remote) are inactive;
 +
* the operating system is shutting down (hive is unloading).
 +
 +
In order to correctly handle unreconciled data (e.g. when dealing with an image taken from a live system), one needs to parse transaction log files along with primary files.
 +
 +
== Persistence keys ==
 +
The following lists are loosely based of:
 +
* [http://www.silentrunners.org/Silent%20Runners.vbs Silent Runners.vbs]
 +
* [[Artifacts | Forensic Artifacts]]
 +
 +
<b>Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS</b>
 +
 +
=== Command Processor (cmd.exe) ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Command Processor Auto Run
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsCommandProcessorAutoRun
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
 +
* HKEY_USERS\%SID%\Software\Microsoft\Command Processor
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
 +
|-
 +
| <b>Value name(s)</b>
 +
| AutoRun
 +
|-
 +
| <b>Additional information</b>
 +
| [https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx Command Processor\AutoRun]
 +
|}
 +
 +
=== Debugging ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Automatic debugging
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsAutomaticDebugging
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
 +
|-
 +
| <b>Value name(s)</b>
 +
| Debugger
 +
|-
 +
| <b>Additional information</b>
 +
| [https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx Configuring Automatic Debugging]
 +
|}
 +
 +
=== Internet Explorer ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Browser Helper Objects
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| InternetExplorerBrowserHelperObjects
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Local Security Authority (LSA) ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Authentication Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSAAuthenticationPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Authentication Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Notification Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSANotificationPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Notification Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Security Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSASecurityPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Security Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Run keys ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Run keys
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsRunKeys
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Run services keys
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsRunServices
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Session Manager ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Session Manager Execute
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
|
 +
* WindowsSessionManagerBootExecute
 +
* WindowsSessionManagerExecute
 +
* WindowsSessionManagerSetupExecute
 +
|-
 +
| <b>Key path(s)</b>
 +
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
 +
|-
 +
| <b>Value name(s)</b>
 +
|
 +
* BootExecute
 +
* Execute
 +
* SetupExecute
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Windows Session Manager Windows-on-Windows (WOW) command line
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsSessionManagerWOWCommandLine
 +
|-
 +
| <b>Key path(s)</b>
 +
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW
 +
|-
 +
| <b>Value name(s)</b>
 +
|
 +
* cmdline
 +
* wowcmdline
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Service Control Manager ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Service Control Manager extension
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsServiceControlManagerExtension
 +
|-
 +
| <b>Key path(s)</b>
 +
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
 +
|-
 +
| <b>Value name(s)</b>
 +
| ServiceControlManagerExtension
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Windows shell (explorer.exe) ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Icon Overlay Identifiers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellIconOverlayIdentifiers
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Extensions
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellExtensions
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Execute Hooks
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellExecuteHooks
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Load and Run
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellLoadAndRun
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
 +
|-
 +
| <b>Value name(s)</b>
 +
|
 +
* Load
 +
* Run
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Service Object Delay Load
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellServiceObjects
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
| [http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2 TrojanClicker:Win32/Zirit.X]
 +
|}
 +
 +
=== Winlogon and Credential Providers ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Credential Provider Filters
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsCredentialProviderFilters
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
| [http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/ Capturing Windows 7 Credential at logon using custom credential provider]
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Credential Providers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsCredentialProviders
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
| [http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/ Capturing Windows 7 Credential at logon using custom credential provider]
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Pre-Logon Access Provider (PLAP) Providers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsPLAPProviders
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Gina DLL
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| GinaDLL
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Notify
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonNotify
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| DLLName
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Shell
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| Shell
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon System
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonSystem
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| System
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Taksman
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonTaksman
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| Taksman
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Userinit
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonUserinit
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| Userinit
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon VMApplet
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonVMApplet
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| VMApplet
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Policy ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Windows System Policy replacement shell
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsSystemPolicyShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System
 +
|-
 +
| <b>Value name(s)</b>
 +
| Shell
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Unsorted ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Active Setup - Installed Components
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsStubPaths
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
 +
* HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
 +
|-
 +
| <b>Value name(s)</b>
 +
| StubPath
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Application Initial (AppInit) DLLs persistence
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsAppInitDLLs
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
 +
|-
 +
| <b>Value name(s)</b>
 +
| AppInit_DLLs
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Security Providers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsSecurityProviders
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Alternate shell
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsAlternateShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
 +
|-
 +
| <b>Value name(s)</b>
 +
| AlternateShell
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Boot verification program
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsBootVerificationProgram
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram
 +
|-
 +
| <b>Value name(s)</b>
 +
| ImagePath
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
==Bibliography==
 +
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 +
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]], June 9, 2009
 +
* [http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ The Internal Structure of the Windows Registry], by Peter Norris, February 2009
 +
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
 +
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
 +
* [http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf Forensic analysis of unallocated space in Windows Registry Hive files], by Jolanta Thomassen, March 11, 2008
 +
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 +
* [https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md Windows registry file format specification], by Maxim Suhanov, 2015-2016
 +
 +
=== Undated ===
 +
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick Reference: For the Everyday Examiner], by Derrick Farmer, Burlington, VT.
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 +
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
 +
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
 +
* [http://www.answers.com/topic/win-registry Windows Registry Information]
 +
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 +
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 +
* [http://windowsxp.mvps.org/RegistryMRU.htm Registry MRU Locations]
 +
 +
=== Boot Configuration Data (BCD) ===
 +
* [http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Boot_Modifications.doc Modifications to Microsoft Boot Components: Update], by [[Microsoft]]
 +
 +
=== Windows 32-bit on Windows 64-bit (WoW64) ===
 +
* [https://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
 +
* [https://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
 +
* [https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
 +
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ms724072%28v=vs.85%29.aspx 32-bit and 64-bit Application Data in the Registry], by [[Microsoft]]
 +
 +
=== Cached Credentials ===
 +
* [http://juggernaut.wikidot.com/cached-credentials Cached Credentials], by Juggernaut
 +
 +
=== Persistence keys ===
 +
* [https://technet.microsoft.com/en-us/magazine/ee851671.aspx Understand and Control Startup Apps with the System Configuration Utility], by [[Microsoft|Microsoft Technet]]
 +
* [http://www.silentrunners.org/ Silent Runners], by Andrew Aronoff
 +
* [https://digital-forensics.sans.org/blog/2010/10/20/digital-forensics-autorun-registry-keys Digital Forensics: Persistence Registry keys], Dave Hull, October 20, 2010
 +
* [http://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/ Beyond good ol’ Run key], Hexacorn blog, July 23, 2012
 +
* [http://journeyintoir.blogspot.ch/2013_04_01_archive.html Plugins: soft_run user_run], by Corey Harrell, April 17, 2013
 +
* [https://code.google.com/p/regripper/wiki/ASEPs Auto-Start Extensibility Points (ASEPs)], by the [[Regripper|RegRipper project]], April 29, 2013
 +
* [http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order Windows Registry Persistence, Part 2: The Run Keys and Search-Order], by Scott Langendorf, September 24, 2013
 +
* [https://github.com/tomchop/volatility-autoruns/blob/master/README.md Volatility autoruns plugin], by the [[Volatility|Volatility project]], April 14, 2015
 +
 +
=== User Assist ===
 +
* [http://blog.didierstevens.com/programs/userassist/ UserAssist], by Didier Stevens
 +
* [http://blog.didierstevens.com/2007/07/17/userassist-v230/ UserAssist V2.3.0], by Didier Stevens, Tuesday 17 July 2007
 +
* [http://windowsir.blogspot.ch/2007/09/more-on-userassist-keys.html More on (the) UserAssist keys], by [[Harlan Carvey]], Monday, September 03, 2007
 +
* [http://blog.didierstevens.com/2009/01/18/quickpost-windows-7-beta-rot13-replaced-with-vigenere-great-joke/ Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!], by Didier Stevens, January 18, 2009
 +
* [http://forensicsfromthesausagefactory.blogspot.ch/2010/05/prefetch-and-user-assist.html Prefetch and User Assist], by DC174, Thursday, 27 May 2010
 +
* [http://forensicartifacts.com/2010/07/userassist/ Forensic Artifact: UserAssist], July 2010
 +
* [http://sploited.blogspot.ch/2012/12/sans-forensic-artifact-6-userassist.html SANS Forensic Artifact 6: UserAssist], by Sploited, Thursday, 27 December 2012
 +
* [http://www.4n6k.com/2013/05/userassist-forensics-timelines.html UserAssist Forensics (timelines, interpretation, testing, & more)], by Dan (@4n6k), Tuesday, May 14, 2013
 +
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-45-understanding-artifacts.html Daily Blog #45: Understanding the artifacts: User Assist], by [[David Cowen]], Wednesday, August 7, 2013
  
 
==Tools==
 
==Tools==
Line 101: Line 866:
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.  
 
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.  
 +
* [https://github.com/EricZimmerman/Registry Registry] Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman
  
 
===Freeware===
 
===Freeware===
 +
* [http://binaryforay.blogspot.com/p/software.html Registry Explorer] Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman
 +
 +
===Commercial===
 
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
 
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
  
Line 108: Line 877:
  
 
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
 
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
 
+
* [http://www.stellarinfo.com/windows-tools/registry-cleaner.php Regisry Manager]
===Commercial===
+
 
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
 
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
 
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
 
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
Line 119: Line 887:
 
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 
* [http://registrytool.com/ Registry Tool]
 
* [http://registrytool.com/ Registry Tool]
 
==Bibliography==
 
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]], June 9, 2009
 
* [http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ The Internal Structure of the Windows Registry], by Peter Norris, February 2009
 
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
 
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
 
* [http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf Forensic analysis of unallocated space in Windows Registry Hive files], by Jolanta Thomassen, March 11, 2008
 
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 
 
=== Undated ===
 
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick Reference: For the Everyday Examiner], by Derrick Farmer, Burlington, VT.
 
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 
 
==See Also==
 
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
 
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
 
* [http://www.answers.com/topic/win-registry Windows Registry Information]
 
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 
* [http://windowsxp.mvps.org/RegistryMRU.htm Registry MRU Locations]
 
 
=== Windows 32-bit on Windows 64-bit (WoW64) ===
 
* [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
 
* [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
 
  
 
[[Category:Windows Analysis]]
 
[[Category:Windows Analysis]]
 
[[Category:Bibliographies]]
 
[[Category:Bibliographies]]

Latest revision as of 14:33, 24 September 2016

Terminology

Hive

According to [1]

A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.

However in common usage the term hive often does not imply the supporting files.

According to [2] the origin of the term is bee hives.

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 9x/ME

In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters in key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
  • unreconciled data

Special characters in key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

Also, null bytes may be present in key values in order to hide data [3].

Codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Unreconciled data

Starting from Windows 8.1 and Windows Server 2012 R2, a new implementation of the hive flusher was introduced in kernel. This implementation attempts to radically reduce the number of disk writes on a mounted hive: in particular, a flush operation on a hive will store modified (dirty) data in a transaction log file, but hive bins in a primary file (also known as a normal or data file) will be intact. A kernel will sync a primary file after one of the following conditions has occurred:

  • an hour has elapsed since the latest write to a primary file;
  • a power management subsystem reports that all users (local and remote) are inactive;
  • the operating system is shutting down (hive is unloading).

In order to correctly handle unreconciled data (e.g. when dealing with an image taken from a live system), one needs to parse transaction log files along with primary files.

Persistence keys

The following lists are loosely based of:

Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS

Command Processor (cmd.exe)

Description Command Processor Auto Run
Artifact name WindowsCommandProcessorAutoRun
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
Value name(s) AutoRun
Additional information Command Processor\AutoRun

Debugging

Description Automatic debugging
Artifact name WindowsAutomaticDebugging
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Value name(s) Debugger
Additional information Configuring Automatic Debugging

Internet Explorer

Description Browser Helper Objects
Artifact name InternetExplorerBrowserHelperObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
Value name(s) *
Additional information

Local Security Authority (LSA)

Description Local Security Authority (LSA) Authentication Packages
Artifact name WindowsLSAAuthenticationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Authentication Packages
Additional information
Description Local Security Authority (LSA) Notification Packages
Artifact name WindowsLSANotificationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Notification Packages
Additional information
Description Local Security Authority (LSA) Security Packages
Artifact name WindowsLSASecurityPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Security Packages
Additional information

Run keys

Description Run keys
Artifact name WindowsRunKeys
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
Value name(s) *
Additional information
Description Run services keys
Artifact name WindowsRunServices
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
Value name(s) *
Additional information

Session Manager

Description Session Manager Execute
Artifact name
  • WindowsSessionManagerBootExecute
  • WindowsSessionManagerExecute
  • WindowsSessionManagerSetupExecute
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
Value name(s)
  • BootExecute
  • Execute
  • SetupExecute
Additional information
Description Windows Session Manager Windows-on-Windows (WOW) command line
Artifact name WindowsSessionManagerWOWCommandLine
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW
Value name(s)
  • cmdline
  • wowcmdline
Additional information

Service Control Manager

Description Service Control Manager extension
Artifact name WindowsServiceControlManagerExtension
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
Value name(s) ServiceControlManagerExtension
Additional information

Windows shell (explorer.exe)

Description Shell Icon Overlay Identifiers
Artifact name WindowsShellIconOverlayIdentifiers
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
Value name(s) *
Additional information
Description Shell Extensions
Artifact name WindowsShellExtensions
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value name(s) *
Additional information
Description Shell Execute Hooks
Artifact name WindowsShellExecuteHooks
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
Value name(s) *
Additional information
Description Shell Load and Run
Artifact name WindowsShellLoadAndRun
Key path(s)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s)
  • Load
  • Run
Additional information
Description Shell Service Object Delay Load
Artifact name WindowsShellServiceObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value name(s) *
Additional information TrojanClicker:Win32/Zirit.X

Winlogon and Credential Providers

Description Credential Provider Filters
Artifact name WindowsCredentialProviderFilters
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Credential Providers
Artifact name WindowsCredentialProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Pre-Logon Access Provider (PLAP) Providers
Artifact name WindowsPLAPProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
Value name(s) *
Additional information
Description Winlogon Gina DLL
Artifact name WindowsWinlogonShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) GinaDLL
Additional information
Description Winlogon Notify
Artifact name WindowsWinlogonNotify
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
Value name(s) DLLName
Additional information
Description Winlogon Shell
Artifact name WindowsWinlogonShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Shell
Additional information
Description Winlogon System
Artifact name WindowsWinlogonSystem
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) System
Additional information
Description Winlogon Taksman
Artifact name WindowsWinlogonTaksman
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Taksman
Additional information
Description Winlogon Userinit
Artifact name WindowsWinlogonUserinit
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Userinit
Additional information
Description Winlogon VMApplet
Artifact name WindowsWinlogonVMApplet
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) VMApplet
Additional information

Policy

Description Windows System Policy replacement shell
Artifact name WindowsSystemPolicyShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System
Value name(s) Shell
Additional information

Unsorted

Description Active Setup - Installed Components
Artifact name WindowsStubPaths
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
  • HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
Value name(s) StubPath
Additional information
Description Application Initial (AppInit) DLLs persistence
Artifact name WindowsAppInitDLLs
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s) AppInit_DLLs
Additional information
Description Security Providers
Artifact name WindowsSecurityProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*
Value name(s) *
Additional information
Description Alternate shell
Artifact name WindowsAlternateShell
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
Value name(s) AlternateShell
Additional information
Description Boot verification program
Artifact name WindowsBootVerificationProgram
Key path(s)
  • HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram
Value name(s) ImagePath
Additional information

Bibliography

Undated

External Links

Boot Configuration Data (BCD)

Windows 32-bit on Windows 64-bit (WoW64)

Cached Credentials

Persistence keys

User Assist

Tools

Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format
  • Registryasxml - Tool to import/export registry sections as XML
  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.
  • Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman

Freeware

  • Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman

Commercial