Windows Registry – The basics

The Windows registry is made up of individual files, known as ‘hives’, these hives contain ‘keys’ (folders) and ‘values’ (data).

There are four root keys:

  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS

 

It is possible to access the registry while Windows is running using the regedit.exe program or to access the registry files directly with an offline system, forensic image, slave hard drive etc., by accessing the %system32%\config folder for the currently used registry or %system32%\config\regbackup folder which is backed up (by default) every 10 days.

The hive files are as follows:

  • SAM
  • SECURITY
  • SYSTEM
  • SOFTWARE
  • DEFAULT

More data is also held in the user profile under:

Win XP

C:\Documents and Settings\<username>\NTUSER.dat

Windows Vista, Windows 7 and Windows 8

C:\Users\<username>\NTUSER.dat

C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.dat

The addition of the USRCLASS.dat file with Windows Vista is very useful for forensic investigations; it was created to work with User Access Control (UAC) as such contains information regarding applications which have been executed. It is displayed in the registry viewer under HKEY_CURRENT_USER/Software/Classes.

 

This entry was posted in Windows Forensics and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s