The Windows registry is made up of individual files, known as ‘hives’, these hives contain ‘keys’ (folders) and ‘values’ (data).

There are four root keys:

• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_LOCAL_MACHINE
• HKEY_USERS

It is possible to access the registry while Windows is running using the regedit.exe program or to access the registry files directly with an offline system, forensic image, slave hard drive etc., by accessing the %system32%\config folder for the currently used registry or %system32%\config\regbackup folder which is backed up (by default) every 10 days.

The hive files are as follows:

• SAM
• SECURITY
• SYSTEM
• SOFTWARE
• DEFAULT

More data is also held in the user profile under:

Win XP

C:\Documents and Settings\<username>\NTUSER.dat

Windows Vista, Windows 7 and Windows 8

C:\Users\<username>\NTUSER.dat

C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.dat

The addition of the USRCLASS.dat file with Windows Vista is very useful for forensic investigations; it was created to work with User Access Control (UAC) as such contains information regarding applications which have been executed. It is displayed in the registry viewer under HKEY_CURRENT_USER/Software/Classes.