ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
- 1 File Locations
- 2 Keys
- 3 Special cases
- 4 Tools
- 5 Bibliography
- 6 External Links
- 7 = Tracking removable media
The Windows Registry is stored in multiple files.
Windows NT 4
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.
Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
- \Windows\profiles\user profile\user.dat
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
- special characters key and value names
- duplicate key and value names
- the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
special characters key and value names
Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\ Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\ Value: \Device\Video0
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\ Value: SchemaFile
codepaged ASCII strings
Value with name "ëigenaardig" created on Windows XP codepage 1252.
value key data: 00000000: 76 6b 0b 00 46 00 00 00 20 98 1a 00 01 00 00 00 vk..F... ....... 00000010: 01 00 69 6e eb 69 67 65 6e 61 61 72 64 69 67 00 ..in.ige naardig. 00000020: 55 4e 49 43 UNIC value key signature : vk value key value name size : 11 value key data size : 0x00000046 (70) value key data offset : 0x001a9820 value key data type : 1 (REG_SZ) String value key flags : 0x0001 Value name is an ASCII string value key unknown1 : 0x6e69 (28265) value key value name : ëigenaardig value key value name hash : 0xb78835ee value key padding: 00000000: 00 55 4e 49 43 .UNIC
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
- Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
- libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
- reglookup — "small command line utility for reading and querying Windows NT-based registries."
- regviewer — a tool for looking at the registry.
- RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
- Parse::Win32Registry Perl module.
- python-registry Python module.
- Registry Decoder offline analysis component, by Andrew Case
- RegDecoderLive live hive acquisition component, by Andrew Case
- libregf - Library and tools to access the Windows NT Registry File (REGF) format
- Registryasxml - Tool to import/export registry sections as XML
- kregedit - a KDE utility for viewing and editing registry files.
- ntreg a file system driver for linux, which understands the NT registry file format.
- Yet Another Registry Utility (yaru) Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
- Windows ShellBag Parser Free tool that can be run on Windows, Linux or Mac OS-X.
- cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
- Abexo Free Regisry Cleaner
- Auslogics Registry Defrag
- Alien Registry Viewer
- NT Registry Optimizer
- iExpert Software-Free Registry Defrag
- Registry Recon
- Registry Undelete (russian)
- Windows Registry Recovery
- Registry Tool
- Using ShellBag Information to Reconstruct User Activities, by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
- The Windows NT Registry File Format, by Timothy Morgan, June 9, 2009
- The Internal Structure of the Windows Registry, by Peter Norris, February 2009
- Recovering Deleted Data From the Windows Registry and slides, by Timothy Morgan, DFRWS 2008
- Forensic Analysis of the Windows Registry in Memory and slides, by Brendan Dolan-Gavitt, DFRWS 2008
- Forensic analysis of unallocated space in Windows Registry Hive files, by Jolanta Thomassen, March 11, 2008
- The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
- A Windows Registry Quick Reference: For the Everyday Examiner, by Derrick Farmer, Burlington, VT.
- Forensic Analysis of the Windows Registry, by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
- Wikipedia: Windows Registry
- Windows Incident Response Articles on Registry
- Windows Registry Information
- Push the Red Button — Articles on Registry
- Security Accounts Manager
- Registry MRU Locations
= Tracking removable media
- http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html, by Yogesh Khatri, August 18, 2012
Windows 32-bit on Windows 64-bit (WoW64)
- UserAssist, by Didier Stevens
- UserAssist V2.3.0, by Didier Stevens, Tuesday 17 July 2007
- More on (the) UserAssist keys, by Harlan Carvey, Monday, September 03, 2007
- Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!, by Didier Stevens, January 18, 2009
- Prefetch and User Assist, by DC174, Thursday, 27 May 2010
- Forensic Artifact: UserAssist, July 2010
- SANS Forensic Artifact 6: UserAssist, by Sploited, Thursday, 27 December 2012
- UserAssist Forensics (timelines, interpretation, testing, & more), by Dan (@4n6k), Tuesday, May 14, 2013
- Daily Blog #45: Understanding the artifacts: User Assist, by David Cowen, Wednesday, August 7, 2013