Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
(Special cases)
(Service Control Manager)
 
(67 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
== Terminology ==
 +
 +
=== Hive ===
 +
According to [https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx]
 +
<pre>
 +
A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.
 +
</pre>
 +
 +
However in common usage the term hive often does not imply the supporting files.
 +
 +
According to [http://blogs.msdn.com/b/oldnewthing/archive/2003/08/08/54618.aspx] the origin of the term is bee hives.
 +
 
==File Locations==
 
==File Locations==
 
The Windows Registry is stored in multiple files.
 
The Windows Registry is stored in multiple files.
Line 13: Line 25:
 
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
 
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
  
===Windows 98/ME===
+
===Windows 9x/ME===
 +
In Windows 95, 98, Me the Registry is stored in the [[Windows 9x Registry File (CREG)]] format.
 +
 
 
* \Windows\user.dat
 
* \Windows\user.dat
 
* \Windows\system.dat
 
* \Windows\system.dat
 
* \Windows\profiles\user profile\user.dat
 
* \Windows\profiles\user profile\user.dat
 
== Keys ==
 
 
=== Run/RunOnce ===
 
System-wide:
 
<pre>
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
 
Per user:
 
<pre>
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
  
 
== Special cases ==
 
== Special cases ==
The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:
+
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
* special characters key and value names
+
* special characters in key and value names
 
* duplicate key and value names
 
* duplicate key and value names
 
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
 
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
 +
* unreconciled data
  
=== special characters key and value names ===
+
=== Special characters in key and value names ===
 
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 
that the \ character can be used in value names. The / character is used in both key and value names.
 
that the \ character can be used in value names. The / character is used in both key and value names.
Line 59: Line 59:
 
</pre>
 
</pre>
  
== codepaged ASCII strings ==
+
Also, null bytes may be present in key values in order to hide data [http://binaryforay.blogspot.com/2016/01/registry-values-starting-with-null.html].
 +
 
 +
=== Codepaged ASCII strings ===
  
 
Value with name "ëigenaardig" created on Windows XP codepage 1252.
 
Value with name "ëigenaardig" created on Windows XP codepage 1252.
Line 85: Line 87:
  
 
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
 
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
 +
 +
=== Unreconciled data ===
 +
 +
Starting from Windows 8.1 and Windows Server 2012 R2, a new implementation of the hive flusher was introduced in kernel. This implementation attempts to radically reduce the number of disk writes on a mounted hive: in particular, a flush operation on a hive will store modified (dirty) data in a transaction log file, but hive bins in a primary file (also known as a normal or data file) will be intact. A kernel will sync a primary file after one of the following conditions has occurred:
 +
* an hour has elapsed since the latest write to a primary file;
 +
* a power management subsystem reports that all users (local and remote) are inactive;
 +
* the operating system is shutting down (hive is unloading).
 +
 +
In order to correctly handle unreconciled data (e.g. when dealing with an image taken from a live system), one needs to parse transaction log files along with primary files.
 +
 +
== Persistence keys ==
 +
The following lists are loosely based of:
 +
* [http://www.silentrunners.org/Silent%20Runners.vbs Silent Runners.vbs]
 +
* [[Artifacts | Forensic Artifacts]]
 +
 +
<b>Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS</b>
 +
 +
=== Command Processor (cmd.exe) ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Command Processor Auto Run
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsCommandProcessorAutoRun
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
 +
* HKEY_USERS\%SID%\Software\Microsoft\Command Processor
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
 +
|-
 +
| <b>Value name(s)</b>
 +
| AutoRun
 +
|-
 +
| <b>Additional information</b>
 +
| [https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx Command Processor\AutoRun]
 +
|}
 +
 +
=== Debugging ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Automatic debugging
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsAutomaticDebugging
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
 +
|-
 +
| <b>Value name(s)</b>
 +
| Debugger
 +
|-
 +
| <b>Additional information</b>
 +
| [https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx Configuring Automatic Debugging]
 +
|}
 +
 +
=== Internet Explorer ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Browser Helper Objects
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| InternetExplorerBrowserHelperObjects
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Local Security Authority (LSA) ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Authentication Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSAAuthenticationPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Authentication Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Notification Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSANotificationPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Notification Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Security Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSASecurityPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Security Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Run keys ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Run keys
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsRunKeys
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Run services keys
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsRunServices
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Session Manager ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Session Manager Execute
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
|
 +
* WindowsSessionManagerBootExecute
 +
* WindowsSessionManagerExecute
 +
* WindowsSessionManagerSetupExecute
 +
|-
 +
| <b>Key path(s)</b>
 +
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
 +
|-
 +
| <b>Value name(s)</b>
 +
|
 +
* BootExecute
 +
* Execute
 +
* SetupExecute
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Windows Session Manager Windows-on-Windows (WOW) command line
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsSessionManagerWOWCommandLine
 +
|-
 +
| <b>Key path(s)</b>
 +
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW
 +
|-
 +
| <b>Value name(s)</b>
 +
|
 +
* cmdline
 +
* wowcmdline
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Service Control Manager ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Service Control Manager extension
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsServiceControlManagerExtension
 +
|-
 +
| <b>Key path(s)</b>
 +
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
 +
|-
 +
| <b>Value name(s)</b>
 +
| ServiceControlManagerExtension
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Windows shell (explorer.exe) ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Icon Overlay Identifiers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellIconOverlayIdentifiers
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Extensions
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellExtensions
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Execute Hooks
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellExecuteHooks
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Load and Run
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellLoadAndRun
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
 +
|-
 +
| <b>Value name(s)</b>
 +
|
 +
* Load
 +
* Run
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Shell Service Object Delay Load
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsShellServiceObjects
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
| [http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2 TrojanClicker:Win32/Zirit.X]
 +
|}
 +
 +
=== Winlogon and Credential Providers ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Credential Provider Filters
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsCredentialProviderFilters
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
| [http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/ Capturing Windows 7 Credential at logon using custom credential provider]
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Credential Providers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsCredentialProviders
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
| [http://blog.leetsys.com/2012/01/02/capturing-windows-7-credentials-at-logon-using-custom-credential-provider/ Capturing Windows 7 Credential at logon using custom credential provider]
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Pre-Logon Access Provider (PLAP) Providers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsPLAPProviders
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Gina DLL
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| GinaDLL
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Notify
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonNotify
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| DLLName
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Shell
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| Shell
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon System
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonSystem
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| System
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Taksman
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonTaksman
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| Taksman
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Userinit
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonUserinit
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| Userinit
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon VMApplet
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonVMApplet
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| VMApplet
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Policy ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Windows System Policy replacement shell
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsSystemPolicyShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System
 +
|-
 +
| <b>Value name(s)</b>
 +
| Shell
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Unsorted ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Active Setup - Installed Components
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsStubPaths
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
 +
* HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components
 +
* HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
 +
|-
 +
| <b>Value name(s)</b>
 +
| StubPath
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Application Initial (AppInit) DLLs persistence
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsAppInitDLLs
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
* HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
 +
|-
 +
| <b>Value name(s)</b>
 +
| AppInit_DLLs
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Security Providers
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsSecurityProviders
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Alternate shell
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsAlternateShell
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
 +
|-
 +
| <b>Value name(s)</b>
 +
| AlternateShell
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Boot verification program
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsBootVerificationProgram
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram
 +
|-
 +
| <b>Value name(s)</b>
 +
| ImagePath
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
==Bibliography==
 +
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities], by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 +
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]], June 9, 2009
 +
* [http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ The Internal Structure of the Windows Registry], by Peter Norris, February 2009
 +
* [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Recovering Deleted Data From the Windows Registry] and [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf slides], by [[Timothy Morgan]], DFRWS 2008
 +
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory] and [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf slides], by Brendan Dolan-Gavitt, DFRWS 2008
 +
* [http://www.sentinelchicken.com/data/JolantaThomassenDISSERTATION.pdf Forensic analysis of unallocated space in Windows Registry Hive files], by Jolanta Thomassen, March 11, 2008
 +
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 +
* [https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md Windows registry file format specification], by Maxim Suhanov, 2015-2016
 +
 +
=== Undated ===
 +
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick Reference: For the Everyday Examiner], by Derrick Farmer, Burlington, VT.
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 +
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia: Windows Registry]
 +
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
 +
* [http://www.answers.com/topic/win-registry Windows Registry Information]
 +
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 +
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 +
* [http://windowsxp.mvps.org/RegistryMRU.htm Registry MRU Locations]
 +
 +
=== Boot Configuration Data (BCD) ===
 +
* [http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Boot_Modifications.doc Modifications to Microsoft Boot Components: Update], by [[Microsoft]]
 +
 +
=== Windows 32-bit on Windows 64-bit (WoW64) ===
 +
* [https://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
 +
* [https://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
 +
* [https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
 +
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ms724072%28v=vs.85%29.aspx 32-bit and 64-bit Application Data in the Registry], by [[Microsoft]]
 +
 +
=== Cached Credentials ===
 +
* [http://juggernaut.wikidot.com/cached-credentials Cached Credentials], by Juggernaut
 +
 +
=== Persistence keys ===
 +
* [https://technet.microsoft.com/en-us/magazine/ee851671.aspx Understand and Control Startup Apps with the System Configuration Utility], by [[Microsoft|Microsoft Technet]]
 +
* [http://www.silentrunners.org/ Silent Runners], by Andrew Aronoff
 +
* [https://digital-forensics.sans.org/blog/2010/10/20/digital-forensics-autorun-registry-keys Digital Forensics: Persistence Registry keys], Dave Hull, October 20, 2010
 +
* [http://www.hexacorn.com/blog/2012/07/23/beyond-good-ol-run-key/ Beyond good ol’ Run key], Hexacorn blog, July 23, 2012
 +
* [http://journeyintoir.blogspot.ch/2013_04_01_archive.html Plugins: soft_run user_run], by Corey Harrell, April 17, 2013
 +
* [https://code.google.com/p/regripper/wiki/ASEPs Auto-Start Extensibility Points (ASEPs)], by the [[Regripper|RegRipper project]], April 29, 2013
 +
* [http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order Windows Registry Persistence, Part 2: The Run Keys and Search-Order], by Scott Langendorf, September 24, 2013
 +
* [https://github.com/tomchop/volatility-autoruns/blob/master/README.md Volatility autoruns plugin], by the [[Volatility|Volatility project]], April 14, 2015
 +
 +
=== User Assist ===
 +
* [http://blog.didierstevens.com/programs/userassist/ UserAssist], by Didier Stevens
 +
* [http://blog.didierstevens.com/2007/07/17/userassist-v230/ UserAssist V2.3.0], by Didier Stevens, Tuesday 17 July 2007
 +
* [http://windowsir.blogspot.ch/2007/09/more-on-userassist-keys.html More on (the) UserAssist keys], by [[Harlan Carvey]], Monday, September 03, 2007
 +
* [http://blog.didierstevens.com/2009/01/18/quickpost-windows-7-beta-rot13-replaced-with-vigenere-great-joke/ Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!], by Didier Stevens, January 18, 2009
 +
* [http://forensicsfromthesausagefactory.blogspot.ch/2010/05/prefetch-and-user-assist.html Prefetch and User Assist], by DC174, Thursday, 27 May 2010
 +
* [http://forensicartifacts.com/2010/07/userassist/ Forensic Artifact: UserAssist], July 2010
 +
* [http://sploited.blogspot.ch/2012/12/sans-forensic-artifact-6-userassist.html SANS Forensic Artifact 6: UserAssist], by Sploited, Thursday, 27 December 2012
 +
* [http://www.4n6k.com/2013/05/userassist-forensics-timelines.html UserAssist Forensics (timelines, interpretation, testing, & more)], by Dan (@4n6k), Tuesday, May 14, 2013
 +
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-45-understanding-artifacts.html Daily Blog #45: Understanding the artifacts: User Assist], by [[David Cowen]], Wednesday, August 7, 2013
  
 
==Tools==
 
==Tools==
Line 99: Line 864:
 
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
 
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
 
* [[Registryasxml]] - Tool to import/export registry sections as XML
 
* [[Registryasxml]] - Tool to import/export registry sections as XML
 +
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 +
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
 +
* [https://github.com/EricZimmerman/Registry Registry] Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman
  
 
===Freeware===
 
===Freeware===
 +
* [http://binaryforay.blogspot.com/p/software.html Registry Explorer] Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman
 +
 +
===Commercial===
 
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
 
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
  
Line 106: Line 877:
  
 
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
 
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
 
+
* [http://www.stellarinfo.com/windows-tools/registry-cleaner.php Regisry Manager]
===Commercial===
+
 
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
 
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
 
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
 
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
Line 113: Line 883:
 
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
 
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
 
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
 
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
 +
* [http://arsenalrecon.com/apps Registry Recon]
 
* [http://paullee.ru/regundel Registry Undelete (russian)]
 
* [http://paullee.ru/regundel Registry Undelete (russian)]
 
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 
* [http://registrytool.com/ Registry Tool]
 
* [http://registrytool.com/ Registry Tool]
  
==Bibliography==
+
[[Category:Windows Analysis]]
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
+
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
+
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
+
 
+
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
* [http://www.pkdavies.co.uk/downloads/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
+
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
+
 
+
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
+
 
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
+
 
+
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
+
 
+
==See Also==
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
+
 
[[Category:Bibliographies]]
 
[[Category:Bibliographies]]
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
 
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 
 
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
 
 
[[Category:Windows Analysis]]
 

Latest revision as of 14:33, 24 September 2016

Terminology

Hive

According to [1]

A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.

However in common usage the term hive often does not imply the supporting files.

According to [2] the origin of the term is bee hives.

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 9x/ME

In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters in key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
  • unreconciled data

Special characters in key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

Also, null bytes may be present in key values in order to hide data [3].

Codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Unreconciled data

Starting from Windows 8.1 and Windows Server 2012 R2, a new implementation of the hive flusher was introduced in kernel. This implementation attempts to radically reduce the number of disk writes on a mounted hive: in particular, a flush operation on a hive will store modified (dirty) data in a transaction log file, but hive bins in a primary file (also known as a normal or data file) will be intact. A kernel will sync a primary file after one of the following conditions has occurred:

  • an hour has elapsed since the latest write to a primary file;
  • a power management subsystem reports that all users (local and remote) are inactive;
  • the operating system is shutting down (hive is unloading).

In order to correctly handle unreconciled data (e.g. when dealing with an image taken from a live system), one needs to parse transaction log files along with primary files.

Persistence keys

The following lists are loosely based of:

Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS

Command Processor (cmd.exe)

Description Command Processor Auto Run
Artifact name WindowsCommandProcessorAutoRun
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
Value name(s) AutoRun
Additional information Command Processor\AutoRun

Debugging

Description Automatic debugging
Artifact name WindowsAutomaticDebugging
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Value name(s) Debugger
Additional information Configuring Automatic Debugging

Internet Explorer

Description Browser Helper Objects
Artifact name InternetExplorerBrowserHelperObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
Value name(s) *
Additional information

Local Security Authority (LSA)

Description Local Security Authority (LSA) Authentication Packages
Artifact name WindowsLSAAuthenticationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Authentication Packages
Additional information
Description Local Security Authority (LSA) Notification Packages
Artifact name WindowsLSANotificationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Notification Packages
Additional information
Description Local Security Authority (LSA) Security Packages
Artifact name WindowsLSASecurityPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Security Packages
Additional information

Run keys

Description Run keys
Artifact name WindowsRunKeys
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
Value name(s) *
Additional information
Description Run services keys
Artifact name WindowsRunServices
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
Value name(s) *
Additional information

Session Manager

Description Session Manager Execute
Artifact name
  • WindowsSessionManagerBootExecute
  • WindowsSessionManagerExecute
  • WindowsSessionManagerSetupExecute
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
Value name(s)
  • BootExecute
  • Execute
  • SetupExecute
Additional information
Description Windows Session Manager Windows-on-Windows (WOW) command line
Artifact name WindowsSessionManagerWOWCommandLine
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW
Value name(s)
  • cmdline
  • wowcmdline
Additional information

Service Control Manager

Description Service Control Manager extension
Artifact name WindowsServiceControlManagerExtension
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
Value name(s) ServiceControlManagerExtension
Additional information

Windows shell (explorer.exe)

Description Shell Icon Overlay Identifiers
Artifact name WindowsShellIconOverlayIdentifiers
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
Value name(s) *
Additional information
Description Shell Extensions
Artifact name WindowsShellExtensions
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value name(s) *
Additional information
Description Shell Execute Hooks
Artifact name WindowsShellExecuteHooks
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
Value name(s) *
Additional information
Description Shell Load and Run
Artifact name WindowsShellLoadAndRun
Key path(s)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s)
  • Load
  • Run
Additional information
Description Shell Service Object Delay Load
Artifact name WindowsShellServiceObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value name(s) *
Additional information TrojanClicker:Win32/Zirit.X

Winlogon and Credential Providers

Description Credential Provider Filters
Artifact name WindowsCredentialProviderFilters
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Credential Providers
Artifact name WindowsCredentialProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Pre-Logon Access Provider (PLAP) Providers
Artifact name WindowsPLAPProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
Value name(s) *
Additional information
Description Winlogon Gina DLL
Artifact name WindowsWinlogonShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) GinaDLL
Additional information
Description Winlogon Notify
Artifact name WindowsWinlogonNotify
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
Value name(s) DLLName
Additional information
Description Winlogon Shell
Artifact name WindowsWinlogonShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Shell
Additional information
Description Winlogon System
Artifact name WindowsWinlogonSystem
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) System
Additional information
Description Winlogon Taksman
Artifact name WindowsWinlogonTaksman
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Taksman
Additional information
Description Winlogon Userinit
Artifact name WindowsWinlogonUserinit
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Userinit
Additional information
Description Winlogon VMApplet
Artifact name WindowsWinlogonVMApplet
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) VMApplet
Additional information

Policy

Description Windows System Policy replacement shell
Artifact name WindowsSystemPolicyShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System
Value name(s) Shell
Additional information

Unsorted

Description Active Setup - Installed Components
Artifact name WindowsStubPaths
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
  • HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
Value name(s) StubPath
Additional information
Description Application Initial (AppInit) DLLs persistence
Artifact name WindowsAppInitDLLs
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s) AppInit_DLLs
Additional information
Description Security Providers
Artifact name WindowsSecurityProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*
Value name(s) *
Additional information
Description Alternate shell
Artifact name WindowsAlternateShell
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
Value name(s) AlternateShell
Additional information
Description Boot verification program
Artifact name WindowsBootVerificationProgram
Key path(s)
  • HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram
Value name(s) ImagePath
Additional information

Bibliography

Undated

External Links

Boot Configuration Data (BCD)

Windows 32-bit on Windows 64-bit (WoW64)

Cached Credentials

Persistence keys

User Assist

Tools

Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format
  • Registryasxml - Tool to import/export registry sections as XML
  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.
  • Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman

Freeware

  • Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman

Commercial