- 1 Terminology
- 2 File Locations
- 3 Keys
- 4 Special cases
- 5 Bibliography
- 6 External Links
- 7 Tools
According to 
A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.
However in common usage the term hive often does not imply the supporting files.
According to  the origin of the term is bee hives.
The Windows Registry is stored in multiple files.
Windows NT 4
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.
Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.
- \Windows\profiles\user profile\user.dat
The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:
- special characters key and value names
- duplicate key and value names
- the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
special characters key and value names
Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\ Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\ Value: \Device\Video0
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\ Value: SchemaFile
codepaged ASCII strings
Value with name "ëigenaardig" created on Windows XP codepage 1252.
value key data: 00000000: 76 6b 0b 00 46 00 00 00 20 98 1a 00 01 00 00 00 vk..F... ....... 00000010: 01 00 69 6e eb 69 67 65 6e 61 61 72 64 69 67 00 ..in.ige naardig. 00000020: 55 4e 49 43 UNIC value key signature : vk value key value name size : 11 value key data size : 0x00000046 (70) value key data offset : 0x001a9820 value key data type : 1 (REG_SZ) String value key flags : 0x0001 Value name is an ASCII string value key unknown1 : 0x6e69 (28265) value key value name : ëigenaardig value key value name hash : 0xb78835ee value key padding: 00000000: 00 55 4e 49 43 .UNIC
As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.
- Using ShellBag Information to Reconstruct User Activities, by Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
- The Windows NT Registry File Format, by Timothy Morgan, June 9, 2009
- The Internal Structure of the Windows Registry, by Peter Norris, February 2009
- Recovering Deleted Data From the Windows Registry and slides, by Timothy Morgan, DFRWS 2008
- Forensic Analysis of the Windows Registry in Memory and slides, by Brendan Dolan-Gavitt, DFRWS 2008
- Forensic analysis of unallocated space in Windows Registry Hive files, by Jolanta Thomassen, March 11, 2008
- The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
- A Windows Registry Quick Reference: For the Everyday Examiner, by Derrick Farmer, Burlington, VT.
- Forensic Analysis of the Windows Registry, by Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
- Wikipedia: Windows Registry
- Windows Incident Response Articles on Registry
- Windows Registry Information
- Push the Red Button — Articles on Registry
- Security Accounts Manager
- Registry MRU Locations
Boot Configuration Data (BCD)
Windows 32-bit on Windows 64-bit (WoW64)
- Cached Credentials, by Juggernaut
- UserAssist, by Didier Stevens
- UserAssist V2.3.0, by Didier Stevens, Tuesday 17 July 2007
- More on (the) UserAssist keys, by Harlan Carvey, Monday, September 03, 2007
- Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!, by Didier Stevens, January 18, 2009
- Prefetch and User Assist, by DC174, Thursday, 27 May 2010
- Forensic Artifact: UserAssist, July 2010
- SANS Forensic Artifact 6: UserAssist, by Sploited, Thursday, 27 December 2012
- UserAssist Forensics (timelines, interpretation, testing, & more), by Dan (@4n6k), Tuesday, May 14, 2013
- Daily Blog #45: Understanding the artifacts: User Assist, by David Cowen, Wednesday, August 7, 2013
- Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
- libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
- reglookup — "small command line utility for reading and querying Windows NT-based registries."
- regviewer — a tool for looking at the registry.
- RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
- Parse::Win32Registry Perl module.
- python-registry Python module.
- Registry Decoder offline analysis component, by Andrew Case
- RegDecoderLive live hive acquisition component, by Andrew Case
- libregf - Library and tools to access the Windows NT Registry File (REGF) format
- Registryasxml - Tool to import/export registry sections as XML
- kregedit - a KDE utility for viewing and editing registry files.
- ntreg a file system driver for linux, which understands the NT registry file format.
- Yet Another Registry Utility (yaru) Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
- Windows ShellBag Parser Free tool that can be run on Windows, Linux or Mac OS-X.
- cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.