Terminology
Hive
According to [1]
A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.
However in common usage the term hive often does not imply the supporting files.
According to [2] the origin of the term is bee hives.
File Locations
The Windows Registry is stored in multiple files.
Windows NT 4
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.
Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
Windows 9x/ME
In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.
- \Windows\user.dat
- \Windows\system.dat
- \Windows\profiles\user profile\user.dat
Special cases
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
- special characters in key and value names
- duplicate key and value names
- the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
- unreconciled data
Special characters in key and value names
Both key and values names are case insensitive. The \ character is used as the key separator. Note
that the \ character can be used in value names. The / character is used in both key and value names.
Some examples of which are:
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile
Also, null bytes may be present in key values in order to hide data [3].
Codepaged ASCII strings
Value with name "ëigenaardig" created on Windows XP codepage 1252.
value key data:
00000000: 76 6b 0b 00 46 00 00 00 20 98 1a 00 01 00 00 00 vk..F... .......
00000010: 01 00 69 6e eb 69 67 65 6e 61 61 72 64 69 67 00 ..in.ige naardig.
00000020: 55 4e 49 43 UNIC
value key signature : vk
value key value name size : 11
value key data size : 0x00000046 (70)
value key data offset : 0x001a9820
value key data type : 1 (REG_SZ) String
value key flags : 0x0001
Value name is an ASCII string
value key unknown1 : 0x6e69 (28265)
value key value name : ëigenaardig
value key value name hash : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43 .UNIC
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
Unreconciled data
Starting from Windows 8.1 and Windows Server 2012 R2, a new implementation of the hive flusher was introduced in kernel. This implementation attempts to radically reduce the number of disk writes on a mounted hive: in particular, a flush operation on a hive will store modified (dirty) data in a transaction log file, but hive bins in a primary file (also known as a normal or data file) will be intact. A kernel will sync a primary file after one of the following conditions has occurred:
- an hour has elapsed since the latest write to a primary file;
- a power management subsystem reports that all users (local and remote) are inactive;
- the operating system is shutting down (hive is unloading).
In order to correctly handle unreconciled data (e.g. when dealing with an image taken from a live system), one needs to parse transaction log files along with primary files.
Persistence keys
The following lists are loosely based of:
Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS
Command Processor (cmd.exe)
| Description
|
Command Processor Auto Run
|
| Artifact name
|
WindowsCommandProcessorAutoRun
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
- HKEY_USERS\%SID%\Software\Microsoft\Command Processor
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
|
| Value name(s)
|
AutoRun
|
| Additional information
|
Command Processor\AutoRun
|
Debugging
| Description
|
Automatic debugging
|
| Artifact name
|
WindowsAutomaticDebugging
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
|
| Value name(s)
|
Debugger
|
| Additional information
|
Configuring Automatic Debugging
|
Internet Explorer
| Description
|
Browser Helper Objects
|
| Artifact name
|
InternetExplorerBrowserHelperObjects
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
|
| Value name(s)
|
*
|
| Additional information
|
|
Local Security Authority (LSA)
| Description
|
Local Security Authority (LSA) Authentication Packages
|
| Artifact name
|
WindowsLSAAuthenticationPackages
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
|
| Value name(s)
|
Authentication Packages
|
| Additional information
|
|
| Description
|
Local Security Authority (LSA) Notification Packages
|
| Artifact name
|
WindowsLSANotificationPackages
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
|
| Value name(s)
|
Notification Packages
|
| Additional information
|
|
| Description
|
Local Security Authority (LSA) Security Packages
|
| Artifact name
|
WindowsLSASecurityPackages
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
|
| Value name(s)
|
Security Packages
|
| Additional information
|
|
Run keys
| Description
|
Run keys
|
| Artifact name
|
WindowsRunKeys
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
- HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
- HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
- HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
- HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
- HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
|
| Value name(s)
|
*
|
| Additional information
|
|
| Description
|
Run services keys
|
| Artifact name
|
WindowsRunServices
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
|
| Value name(s)
|
*
|
| Additional information
|
|
Session Manager
| Description
|
Session Manager Execute
|
| Artifact name
|
- WindowsSessionManagerBootExecute
- WindowsSessionManagerExecute
- WindowsSessionManagerSetupExecute
|
| Key path(s)
|
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
|
| Value name(s)
|
- BootExecute
- Execute
- SetupExecute
|
| Additional information
|
|
| Description
|
Windows Session Manager Windows-on-Windows (WOW) command line
|
| Artifact name
|
WindowsSessionManagerWOWCommandLine
|
| Key path(s)
|
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW
|
| Value name(s)
|
|
| Additional information
|
|
Service Control Manager
| Description
|
Service Control Manager extension
|
| Artifact name
|
WindowsServiceControlManagerExtension
|
| Key path(s)
|
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
|
| Value name(s)
|
ServiceControlManagerExtension
|
| Additional information
|
|
Windows shell (explorer.exe)
| Description
|
Shell Icon Overlay Identifiers
|
| Artifact name
|
WindowsShellIconOverlayIdentifiers
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
- HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
|
| Value name(s)
|
*
|
| Additional information
|
|
| Description
|
Shell Extensions
|
| Artifact name
|
WindowsShellExtensions
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
- HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
|
| Value name(s)
|
*
|
| Additional information
|
|
| Description
|
Shell Execute Hooks
|
| Artifact name
|
WindowsShellExecuteHooks
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
|
| Value name(s)
|
*
|
| Additional information
|
|
| Description
|
Shell Load and Run
|
| Artifact name
|
WindowsShellLoadAndRun
|
| Key path(s)
|
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
|
| Value name(s)
|
|
| Additional information
|
|
| Description
|
Shell Service Object Delay Load
|
| Artifact name
|
WindowsShellServiceObjects
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
|
| Value name(s)
|
*
|
| Additional information
|
TrojanClicker:Win32/Zirit.X
|
Winlogon and Credential Providers
| Description
|
Credential Provider Filters
|
| Artifact name
|
WindowsCredentialProviderFilters
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
|
| Value name(s)
|
*
|
| Additional information
|
Capturing Windows 7 Credential at logon using custom credential provider
|
| Description
|
Pre-Logon Access Provider (PLAP) Providers
|
| Artifact name
|
WindowsPLAPProviders
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
|
| Value name(s)
|
*
|
| Additional information
|
|
| Description
|
Winlogon Gina DLL
|
| Artifact name
|
WindowsWinlogonShell
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
|
| Value name(s)
|
GinaDLL
|
| Additional information
|
|
| Description
|
Winlogon Notify
|
| Artifact name
|
WindowsWinlogonNotify
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
- HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
|
| Value name(s)
|
DLLName
|
| Additional information
|
|
| Description
|
Winlogon Shell
|
| Artifact name
|
WindowsWinlogonShell
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
|
| Value name(s)
|
Shell
|
| Additional information
|
|
| Description
|
Winlogon System
|
| Artifact name
|
WindowsWinlogonSystem
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
|
| Value name(s)
|
System
|
| Additional information
|
|
| Description
|
Winlogon Taksman
|
| Artifact name
|
WindowsWinlogonTaksman
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
|
| Value name(s)
|
Taksman
|
| Additional information
|
|
| Description
|
Winlogon Userinit
|
| Artifact name
|
WindowsWinlogonUserinit
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
|
| Value name(s)
|
Userinit
|
| Additional information
|
|
| Description
|
Winlogon VMApplet
|
| Artifact name
|
WindowsWinlogonVMApplet
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
|
| Value name(s)
|
VMApplet
|
| Additional information
|
|
Policy
| Description
|
Windows System Policy replacement shell
|
| Artifact name
|
WindowsSystemPolicyShell
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System
|
| Value name(s)
|
Shell
|
| Additional information
|
|
Unsorted
| Description
|
Active Setup - Installed Components
|
| Artifact name
|
WindowsStubPaths
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
- HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components
- HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
|
| Value name(s)
|
StubPath
|
| Additional information
|
|
| Description
|
Application Initial (AppInit) DLLs persistence
|
| Artifact name
|
WindowsAppInitDLLs
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
|
| Value name(s)
|
AppInit_DLLs
|
| Additional information
|
|
| Description
|
Security Providers
|
| Artifact name
|
WindowsSecurityProviders
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*
|
| Value name(s)
|
*
|
| Additional information
|
|
| Description
|
Alternate shell
|
| Artifact name
|
WindowsAlternateShell
|
| Key path(s)
|
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
|
| Value name(s)
|
AlternateShell
|
| Additional information
|
|
| Description
|
Boot verification program
|
| Artifact name
|
WindowsBootVerificationProgram
|
| Key path(s)
|
- HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram
|
| Value name(s)
|
ImagePath
|
| Additional information
|
|
Bibliography
- Using ShellBag Information to Reconstruct User Activities, by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
- The Windows NT Registry File Format, by Timothy Morgan, June 9, 2009
- The Internal Structure of the Windows Registry, by Peter Norris, February 2009
- Recovering Deleted Data From the Windows Registry and slides, by Timothy Morgan, DFRWS 2008
- Forensic Analysis of the Windows Registry in Memory and slides, by Brendan Dolan-Gavitt, DFRWS 2008
- Forensic analysis of unallocated space in Windows Registry Hive files, by Jolanta Thomassen, March 11, 2008
- The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
- Windows registry file format specification, by Maxim Suhanov, 2015-2018
Undated
External Links
Boot Configuration Data (BCD)
Windows 32-bit on Windows 64-bit (WoW64)
Cached Credentials
Persistence keys
- Understand and Control Startup Apps with the System Configuration Utility, by Microsoft Technet
- Silent Runners, by Andrew Aronoff
- Digital Forensics: Persistence Registry keys, Dave Hull, October 20, 2010
- Beyond good ol’ Run key, Hexacorn blog, July 23, 2012
- Plugins: soft_run user_run, by Corey Harrell, April 17, 2013
- Auto-Start Extensibility Points (ASEPs), by the RegRipper project, April 29, 2013
- Windows Registry Persistence, Part 2: The Run Keys and Search-Order, by Scott Langendorf, September 24, 2013
- Volatility autoruns plugin, by the Volatility project, April 14, 2015
User Assist
- UserAssist, by Didier Stevens
- UserAssist V2.3.0, by Didier Stevens, Tuesday 17 July 2007
- More on (the) UserAssist keys, by Harlan Carvey, Monday, September 03, 2007
- Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!, by Didier Stevens, January 18, 2009
- Prefetch and User Assist, by DC174, Thursday, 27 May 2010
- Forensic Artifact: UserAssist, July 2010
- SANS Forensic Artifact 6: UserAssist, by Sploited, Thursday, 27 December 2012
- UserAssist Forensics (timelines, interpretation, testing, & more), by Dan (@4n6k), Tuesday, May 14, 2013
- Daily Blog #45: Understanding the artifacts: User Assist, by David Cowen, Wednesday, August 7, 2013
Tools
Open Source
- Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
- libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
- reglookup — "small command line utility for reading and querying Windows NT-based registries."
- regviewer — a tool for looking at the registry.
- RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
- Parse::Win32Registry Perl module.
- python-registry Python module.
- Registry Decoder offline analysis component, by Andrew Case
- RegDecoderLive live hive acquisition component, by Andrew Case
- libregf - Library and tools to access the Windows NT Registry File (REGF) format
- Registryasxml - Tool to import/export registry sections as XML
- kregedit - a KDE utility for viewing and editing registry files.
- ntreg a file system driver for linux, which understands the NT registry file format.
- Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman
- Mobius Forensic Toolkit The Hive extension extracts all the registry files from the disk and shows the logical structure of the registry, akin to regedit.
- yarp — yet another registry parser.
Freeware
- Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman
Commercial
