Registry

Registry Examination

Online registry analysis

The Data is stored in the main folders in a Tree like structure which is called Hive and its subfolders are called KEYS and SUBKEYS where each component’s configuration is stored called VALUES.

Root key

Abbreviation

Explanation

HKEY_CLASSES_ROOT

HKCR

HKLM\SOFTWARE\Classes and HKU\Classes

HKEY_CURRENT_USER

HKCU

Subkey of the currently logged in user among the user profiles under HKU

HKEY_LOCAL_MACHINE

HKLM

Collection of hive files and memory hive existing on the system

HKEY_USERS

HKU

NTUSER.DAT file existing in the user root folder

HKEY_CURRENT_CONFIG

HKCC

Contents of HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current

HKEY_PERFORMANCE_DATA

HKPD

Performance count (not accessible through the registry editor, accessible only with registry functions)

Offline registry analysis

  • Registry analysis in inactive systems (forensic replication drives or images)

  • Registry Hive file needs to be collected

Registry extraction

  • Collect registry location - Export Files

  • Use FTK Imager to export the folder in Windows/System32/config

Regripper

  • Select the corresponding registry and the report location

  • Continue to load the other remaining registry files (e.g. Security, Software, System, NTUSER.dat)

Registry Explorer

  • Open the Registry Explorer (Eric Zimmerman)

  • Select the Registry to view

System specific hive

Windows maintains five main registry hives in the path below:

%SYSTEMROOT%\system32\config

Hive files name

SYSTEM, SECURITY, SOFTWARE, SAM, DEFAULT.

User specific hive

Version

Path

Windows XP and Server 2003

• \Documents and Settings\NTUSER.DAT • \Documents and Settings\Local Settings\Application Data\Microsoft\Windows\USRCLASS.DAT

Windows Vista, 7, and Server 2008

• \Users\NTUSER.DAT • \Users\AppData\Local\Microsoft\Windows\USRCLASS.DAT

Mapping

Rootkey

Files

HKLM\Software

SOFTWARE

HKLM\Security

SECURITY

HKLM\System

SYSTEM

HKLM\SAM

SAM

HKU.DEFAULT

DEFAULT

HKU{SID}

NTUSER.DAT

HKU{SID}_Classes

USRCLASS.DAT

HKEY_CURRENT_CONFIG

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\XXXX (i.e. HKLM\SYSTEM\ControlSetXXX)

System Configuration Registry Keys

Key

Value

Description

HKLM\System\CurrentControlSet\Control\Computername

Computername, AciveComputername

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

Basic information about the version of the Windows

CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

Last logged in user

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • DefaultUserName value represents the last logged in user

MRUs

Recently opened files (Explorer)

HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key can contain quite a number of values, all of which are binary data types. We are interested in the values that have numbers as names, which contain the names of the files accessed (in Unicode), and the value named MRUListEx, which records the order in which the files were accessed (as DWORDs). Given that adding a value and its associated data to the key, as well as modifying the MRUListEx value, constituted modifying the key, the LastWrite time of the RecentDocs key will tell us when that file was accessed.

  • Files such as recently opened documents, pictures, music, and videos

  • 2000/XP – My Recent Documents

  • Vista/7 – Recent Items

  • Check the order of search word usage through the MRUListEx key value

HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.MOV

The RecentDocs key also has a number of subkeys, each one being the extension of a file that was opened (.doc, .txt, .html, etc.). The values within these subkeys are maintained in the same way as in the RecentDocs key: The value names are numbered, and their data contains the name of the file accessed as a binary data type (in Unicode). Another value called MRUListEx is also a binary data type and maintains the order in which the files were accessed, most recent first, as DWORDs.

Recently executed command (Explorer)

HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

  • List of commands executed through “Start -> Run” or “Ctrl + R”

  • The order of the most recently executed commands is the alphabetical order of the MRUList.

The MRUList value within the RunMRU key tells us that the most recent item to be typed into the Run box is item "e"

  • List of files opened in Paint

HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

File{#Number}–The lower the number, the most recently opened file (saving the value at the point of exiting Paint)

Microsoft Office usage trace

  • Recently opened folder

    HKU\{USER}\SOFTWARE\Microsoft\Office\{VERSION}\{APP}\Place MRU

  • Recently used files

    HKU\{USER}\SOFTWARE\Microsoft\Office\{VERSION}\{APP}\File MRU

  • Saves various traces for each application and version

  • Included information such as Recently opened folders, recently used files, recently used pages, recently accessed URLs, etc.

Search term list (Explorer)

Windows 7

HKU\{USER}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

  • List of search terms when using search in Windows 7 Explorer

  • Vista does not store the search term list in the registry.

  • Check the order of search word usage through the MRUListEx key value

  • 10 -> 0F -> 0E -> 0D -> 0C -> 0B -> 0A -> 04 -> 09 -> 08 -> 07 -> 06 -> 05 -> 03 -> 02 -> 01 -> 00

Typed Paths (Explorer)

HKU\{USER}\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

The TypedURLs key maintains a list of the URLs the user types into the Address bar in Internet Explorer. However, the value names within the TypedURLs key are ordered with the most recently typed URL having the lowest number; consequently, this key doesn’t have an MRUList or MRUListEx value.

UserAssist

USB

USB storage medium identification procedure

  1. When the USB storage medium is connected, the bus driver is sent to the PnP administrator.

  2. Connection notification using device's unique identification number (device descriptor)

  3. Device descriptor - includes manufacturer, serial number, driver information, etc.

  4. PnP administrator sets Device Class ID based on received information and searches for appropriate driver

  5. If there is no driver, the PnP administrator in user mode receives the driver from the firmware of the device, loads it, and writes it to the registry.

HKLM\SYSTEM\ControlSet00X\Enum\USBSTOR\{DID, device class identifier}
HKLM\SYSTEM\ControlSet00X\Control\DeviceClasses\{GUID}

  1. The device driver installation process is saved in a log file.

  2. As a result, traces of USB devices can be identified through log files (setupapi.log) and registry.

Precautions when checking registry key last modification time information

  • Each registry key stores the last modification time of the corresponding key.

  • Various traces of the USB can be identified by using the last modification time information, but the time of the Enum USB, Enum USBSTOR subkeys should not be considered.

  • According to the security policy (Windows Vista/7), the PnP administrator frequently accesses to set the sub-key security token.

    • RegSetKeySecurityAPI call -> change the last modification time

USB Registry Keys

Serial number

HKLM\SYSTEM\ControlSet00X\Enum\USBSTOR\{Device Class ID}

  • Device Class ID format show manufacturer, product name, and version information

  • For Example Ven_<Manufacturer>&<Product Name>&Rev_<Version>

  • The serial number is a sub-key of the Device Class ID

  • If the USB devices have a unique serial from their respective manufacturers. &0 or &1 will be displayed at the end of the serial number.

  • If instead the second character is an & then the device does not have a unique serial number and Windows has issued one which is unique to the local system only.

Vendor ID, Product ID

HKLM\SYSTEM\ControlSet00X\Enum\USB

  • VID####&PID#### -> Vendor ID, Product ID

Connected volume name

HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices

Under Devices, search for a key including product name or serial number among subkeys

FriendlyName (i.e. Volume Name)

In this example, here the FriendlyName (i.e. Volume Name) is KINGSTON

One more example, here the FriendlyName (i.e. Volume Name) is FOR408-USB

If there's not Serial Number in like the second key, then we go to the following key to look for the bracket value (i.e. {c0b076c....})

SYSTEM\CurrentControlSet\Enum\USBSTOR\<Device>\<SerialNumber>\Device Parameters\Partmgr

Then we can correlate to the value under Windows Portable Devices with the bracket value

Volume Serial Number

  • VSN is created by Windows Vista and up Operating Systems each time the device is formatted. 

SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

This is a Decimal value of the Volume Serial Number, which is a Hexadecimal value. Convert this value into the Hex and you have your Volume Serial Number.

You can check with the vol command with the device connected.

Note: The Volume Serial Number can change for the device if it is formatted, as the Volume Serial Number is allocated after the Format.

Note: It is important to make note of the Volume Serial Number and the Volume Name for use in analysing the Link (.lnk) files

Determine the Drive Letter

SYSTEM\MountedDevices

  • When a USB removable storage device is connected to a Windows system, it is assigned a drive letter; that drive letter shows up in the MountedDevices key.

  • If the device is assigned the drive letter F:\, the value in the MountedDevices key will appear as \DosDevices\F:.

  • We can map the entry from the USBSTOR key to the MountedDevices key using the ParentldPrefix value found within the unique instance ID key for the device.

PreviousAnalysis KeypointsNextRecycle Bin

Last updated