Microsoft Windows Registry
The Windows Registry is a database that contains system configuration information relating to the hardware, software and users, as well as activity, such as file, device and program usage. This information is retrieved and modified by applications via the registry API and is also viewable using a built-in utility called the 'Registry Editor', or 'regedit' for short.
The Registry is made up of keys and values, which are grouped together under 'Hives'. When viewing the registry via the Registry Editor, five main hives, listed below, are visible. These can be expanded in a similar fashion to File Explorer.
- HKEY_CLASSES_ROOT - This is a subkey of 'HKEY_LOCAL_MACHINE\Software' and is often abbreviated to 'HKCR'. The information stored here ensures that the correct program opens when you open a file via File Explorer.
- HKEY_CURRENT_USER - Contains details of the user that is currently logged in to a computer. This is a subkey of 'HKEY_USERS' and is often abbreviated to 'HKCU'.
- HKEY_LOCAL_MACHINE - Includes information relating to the computer itself that applies to all users and is often abbreviated to 'HKLM'.
- HKEY_USERS - Stores information relating to all the user profiles on the computer in question and is often abbreviated to 'HKU'.
- HKEY_CURRENT_CONFIG - Details regarding the hardware profile that is used by the local computer at system startup is available here.
Within 'HKEY_LOCAL_MACHINE' it is subdivided into a number of Hives as follows.
- HARDWARE
- SAM
- SECURITY
- SOFTWARE
- SYSTEM
If it is necessary to access these Hives independently of the Registry Editor, they can be found in 'C:\Windows\System32\config'. The information for the 'HKEY_CURRENT_USER' Hive is stored in a couple of different files within the user profile. The main file, 'NTUSER.DAT' is stored at the base of the user profile, 'C:\Users\<username>\'. There is also a 'UsrClass.dat' file that is mounted in the registry under 'HKEY_CURRENT_USER\Software\CLASSES' and can be found in 'C:\Users\<username>\AppData\Local\Microsoft\Windows'.
There is one further Hive file, 'Amcache.hve', that stores information on programs that have been recently run and can be found in 'C:\Windows\appcompat\Programs'.
These files might need to be accessed directly if for example they were part of an image of a hard drive, rather than a live system. Tools that can be used to access these registry files include Eric Zimmerman's Registry Explorer, which is part of Eric Zimmerman's Tools, and RegRipper. It should be noted that there are occasions when the registry information is more human readable in these alternative tools.
Some examples of useful information in the Registry
Operating system information:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Computer name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Time zone information:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Network interfaces:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Past network information:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
Details of programs or commands that run when a user logs on:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Information regarding services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Recent documents opened by the current user:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
This information is stored in the 'NTUSER.DAT' file, so is available for all users on the computer in question. This is the case for anything in 'HKEY_CURRENT_USER'. Within 'RecentDocs' there are further registry keys with file lists for different file extensions, such as '.docx' for Microsoft Word documents.
Information on paths typed into the File Explorer address bar:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Similarly, details regarding the searches made from the search box of File Explorer is also available:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
A history of applications launched by clicking on a file in File Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{User GUID}\Count
Details regarding USB devices that have been connected to a computer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
USB device volume names are also available:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices\Devices