The Windows registry is made up of individual files, known as ‘hives’, these hives contain ‘keys’ (folders) and ‘values’ (data).
There are four root keys:
It is possible to access the registry while Windows is running using the regedit.exe program or to access the registry files directly with an offline system, forensic image, slave hard drive etc., by accessing the %system32%\config folder for the currently used registry or %system32%\config\regbackup folder which is backed up (by default) every 10 days.
The hive files are as follows:
More data is also held in the user profile under:
C:\Documents and Settings\<username>\NTUSER.dat
Windows Vista, Windows 7 and Windows 8
The addition of the USRCLASS.dat file with Windows Vista is very useful for forensic investigations; it was created to work with User Access Control (UAC) as such contains information regarding applications which have been executed. It is displayed in the registry viewer under HKEY_CURRENT_USER/Software/Classes.