The Windows registry is made up of individual files, known as ‘hives’, these hives contain ‘keys’ (folders) and ‘values’ (data).
There are four root keys:
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
It is possible to access the registry while Windows is running using the regedit.exe program or to access the registry files directly with an offline system, forensic image, slave hard drive etc., by accessing the %system32%\config folder for the currently used registry or %system32%\config\regbackup folder which is backed up (by default) every 10 days.
The hive files are as follows:
- SAM
- SECURITY
- SYSTEM
- SOFTWARE
- DEFAULT
More data is also held in the user profile under:
Win XP
C:\Documents and Settings\<username>\NTUSER.dat
Windows Vista, Windows 7 and Windows 8
C:\Users\<username>\NTUSER.dat
C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.dat
The addition of the USRCLASS.dat file with Windows Vista is very useful for forensic investigations; it was created to work with User Access Control (UAC) as such contains information regarding applications which have been executed. It is displayed in the registry viewer under HKEY_CURRENT_USER/Software/Classes.