Windows Registry

From ForensicsWiki
Jump to: navigation, search

Terminology

Hive

According to [1]

A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.

However in common usage the term hive often does not imply the supporting files.

According to [2] the origin of the term is bee hives.

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 9x/ME

In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters in key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
  • unreconciled data

Special characters in key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

Also, null bytes may be present in key values in order to hide data [3].

Codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Unreconciled data

Starting from Windows 8.1 and Windows Server 2012 R2, a new implementation of the hive flusher was introduced in kernel. This implementation attempts to radically reduce the number of disk writes on a mounted hive: in particular, a flush operation on a hive will store modified (dirty) data in a transaction log file, but hive bins in a primary file (also known as a normal or data file) will be intact. A kernel will sync a primary file after one of the following conditions has occurred:

  • an hour has elapsed since the latest write to a primary file;
  • a power management subsystem reports that all users (local and remote) are inactive;
  • the operating system is shutting down (hive is unloading).

In order to correctly handle unreconciled data (e.g. when dealing with an image taken from a live system), one needs to parse transaction log files along with primary files.

Persistence keys

The following lists are loosely based of:

Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS

Command Processor (cmd.exe)

Description Command Processor Auto Run
Artifact name WindowsCommandProcessorAutoRun
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
Value name(s) AutoRun
Additional information Command Processor\AutoRun

Debugging

Description Automatic debugging
Artifact name WindowsAutomaticDebugging
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
Value name(s) Debugger
Additional information Configuring Automatic Debugging

Internet Explorer

Description Browser Helper Objects
Artifact name InternetExplorerBrowserHelperObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
Value name(s) *
Additional information

Local Security Authority (LSA)

Description Local Security Authority (LSA) Authentication Packages
Artifact name WindowsLSAAuthenticationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Authentication Packages
Additional information
Description Local Security Authority (LSA) Notification Packages
Artifact name WindowsLSANotificationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Notification Packages
Additional information
Description Local Security Authority (LSA) Security Packages
Artifact name WindowsLSASecurityPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Security Packages
Additional information

Run keys

Description Run keys
Artifact name WindowsRunKeys
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
Value name(s) *
Additional information
Description Run services keys
Artifact name WindowsRunServices
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
Value name(s) *
Additional information

Session Manager

Description Session Manager Execute
Artifact name
  • WindowsSessionManagerBootExecute
  • WindowsSessionManagerExecute
  • WindowsSessionManagerSetupExecute
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
Value name(s)
  • BootExecute
  • Execute
  • SetupExecute
Additional information
Description Windows Session Manager Windows-on-Windows (WOW) command line
Artifact name WindowsSessionManagerWOWCommandLine
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW
Value name(s)
  • cmdline
  • wowcmdline
Additional information

Service Control Manager

Description Service Control Manager extension
Artifact name WindowsServiceControlManagerExtension
Key path(s) HKEY_CURRENT_MACHINE\System\CurrentControlSet\Control\ServiceControlManagerExtension
Value name(s)
Additional information

Windows shell (explorer.exe)

Description Shell Icon Overlay Identifiers
Artifact name WindowsShellIconOverlayIdentifiers
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
Value name(s) *
Additional information
Description Shell Extensions
Artifact name WindowsShellExtensions
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value name(s) *
Additional information
Description Shell Execute Hooks
Artifact name WindowsShellExecuteHooks
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
Value name(s) *
Additional information
Description Shell Load and Run
Artifact name WindowsShellLoadAndRun
Key path(s)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s)
  • Load
  • Run
Additional information
Description Shell Service Object Delay Load
Artifact name WindowsShellServiceObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value name(s) *
Additional information TrojanClicker:Win32/Zirit.X

Winlogon and Credential Providers

Description Credential Provider Filters
Artifact name WindowsCredentialProviderFilters
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Credential Providers
Artifact name WindowsCredentialProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Pre-Logon Access Provider (PLAP) Providers
Artifact name WindowsPLAPProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
Value name(s) *
Additional information
Description Winlogon Gina DLL
Artifact name WindowsWinlogonShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) GinaDLL
Additional information
Description Winlogon Notify
Artifact name WindowsWinlogonNotify
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
Value name(s) DLLName
Additional information
Description Winlogon Shell
Artifact name WindowsWinlogonShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Shell
Additional information
Description Winlogon System
Artifact name WindowsWinlogonSystem
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) System
Additional information
Description Winlogon Taksman
Artifact name WindowsWinlogonTaksman
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Taksman
Additional information
Description Winlogon Userinit
Artifact name WindowsWinlogonUserinit
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Userinit
Additional information
Description Winlogon VMApplet
Artifact name WindowsWinlogonVMApplet
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) VMApplet
Additional information

Policy

Description Windows System Policy replacement shell
Artifact name WindowsSystemPolicyShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System
Value name(s) Shell
Additional information

Unsorted

Description Active Setup - Installed Components
Artifact name WindowsStubPaths
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*
  • HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*
Value name(s) StubPath
Additional information
Description Application Initial (AppInit) DLLs persistence
Artifact name WindowsAppInitDLLs
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s) AppInit_DLLs
Additional information
Description Security Providers
Artifact name WindowsSecurityProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*
Value name(s) *
Additional information
Description Alternate shell
Artifact name WindowsAlternateShell
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
Value name(s) AlternateShell
Additional information
Description Boot verification program
Artifact name WindowsBootVerificationProgram
Key path(s)
  • HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram
Value name(s) ImagePath
Additional information

Bibliography

Undated

External Links

Boot Configuration Data (BCD)

Windows 32-bit on Windows 64-bit (WoW64)

Cached Credentials

Persistence keys

User Assist

Tools

Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format
  • Registryasxml - Tool to import/export registry sections as XML
  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.
  • Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman

Freeware

  • Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman

Commercial