The Registry#
The Windows Registry located at Windows\System32\config is a large database that stores configuration settings for Microsoft Windows and its applications. It contains system settings, user preferences, and more.
On a live system, the registry can be accessed using regedit (Registry Editor). Tools like RegRipper can be used to browse registry hives from image files.
Structure#
The Registry is organized as a tree structure with keys and subkeys. The root is called HKEY, and it contains several subkeys representing different areas of the system.
Hives β logical groups of keys and values.
- HKLM (HKEY_LOCAL_MACHINE) β Local machine configuration
- HKCU (HKEY_CURRENT_USER) β Current user configuration
- HKCR (HKEY_CLASSES_ROOT) β File associations & class definitions
- HKU (HKEY_USERS) β All user accounts
Keys β containers that hold configuration data. Example:
HKLM\Software(installed software info).Subkeys β child keys beneath a parent key.
Values β nameβvalue pairs holding specific configuration details.
Registry Forensics#
The Windows Registry holds artifacts valuable in digital forensics. These reveal user activity, system info, device usage, and attacker traces.
Below are common forensic registry keys:
π§βπ» User Activity#
| Artifact | Registry Key | Description |
|---|---|---|
| MRUs (Most Recently Used) | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | Tracks programs run recently. |
| Typed Paths | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths | Stores paths typed into File Explorer. |
| Recent File History | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU | Tracks recently opened/saved files via common dialogs. |
| Program Usage (UserAssist) | NTUSER.DAT\...\Explorer\UserAssist\{GUID}\Count | Counts program executions by the user. |
| Last Key Viewed | NTUSER.DAT\...\Applets\Regedit\LastKey | Last accessed key in Registry Editor. |
| LNK Files | HKCU\...\Explorer\RecentDocs | Shortcuts referencing files (even deleted ones). Useful for MAC times, original paths, volumes, etc. |
| Jump Lists | (AutomaticDestination / CustomDestination files) | Lists recently accessed files/programs by app. Tools: jump_list_parser, jump_list_extractor. |
βοΈ System Information#
| Artifact | Registry Key | Description |
|---|---|---|
| Advanced Settings | HKCU\...\Explorer\Advanced | File Explorer customization settings. |
| Computer Name | SYSTEM\ControlSet001\Control\ComputerName\ComputerName | System hostname. |
| Windows Version Info | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | Windows version and build details. |
| Installed Applications | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ | List of installed apps and executables. |
| Services | SYSTEM\ControlSet001\Services\ | Installed services and drivers. |
| UAC Status | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA=1 β UAC enabled, =0 β disabled. |
| Last Logged-in User | HKLM\...\Authentication\LogonUI\LastLoggedOnUser | Tracks the last user to log in. |
πΎ Devices & Storage#
| Artifact | Registry Key | Description |
|---|---|---|
| Auto-Run Programs | HKLM/HKCU\...\Run, RunOnce | Programs launched at logon. |
| ShellBags | HKCU\SOFTWARE\Microsoft\Windows\Shell\BagMRUHKCU\SOFTWARE\Microsoft\Windows\Shell\Bags | Folder view preferences. Reveals deleted folders. Tool: ShellBags Explorer. |
| Mounted Devices | HKLM\SYSTEM\CurrentControlSet\Enum\USBSTORHKLM\SYSTEM\MountedDevices | USB/device connection history. |
| SRUM Database | C:\Windows\System32\sru\SRUDB.dat | Tracks every executed application (even deleted ones). Tools: srum_dump, srum_extractor. |
π Network & Security#
| Artifact | Registry Key | Description |
|---|---|---|
| Firewall Status | HKLM\SYSTEM\...\FirewallPolicy | EnableFirewall=1 β enabled, =0 β disabled. |
| Remote Desktop | HKLM\SYSTEM\...\Control\Terminal Server | Contains RDP settings and status. |
| Shared Folders | HKLM\SYSTEM\...\LanmanServer\Shares | Information about shared resources. |
| Network Interfaces | HKLM\SYSTEM\...\Tcpip\Parameters\Interfaces | Network adapter configurations. |
| Network List | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList | List of networks previously connected to. |
| User Accounts | HKLM\SAM\Domains\Account\Users\Names\ | All local user accounts (including WDAGUtilityAccount). |
| Timezone | SYSTEM\ControlSet001\Control\TimeZoneInformation | System timezone settings. |
| Prefetch & Superfetch | HKLM\SYSTEM\...\PrefetchParametersHKLM\SYSTEM\...\Superfetch | Performance data. Also useful for execution history. |
Summary#
Registry forensics provides investigators with insights into user actions, system configurations, network history, device usage, and persistence mechanisms. Proper analysis can reveal attacker activity and digital evidence.