Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
Line 127: Line 127:
=== Windows 32-bit on Windows 64-bit (WoW64) ===
=== Windows 32-bit on Windows 64-bit (WoW64) ===
* [http://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
* [https://msdn.microsoft.com/en-us/library/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
* [http://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
* [https://msdn.microsoft.com/en-us/library/aa384232(VS.85).aspx Registry Redirector], by [[Microsoft]]
* [https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253(v=vs.85).aspx Registry Keys Affected by WOW64], by [[Microsoft]]
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ms724072%28v=vs.85%29.aspx 32-bit and 64-bit Application Data in the Registry], by [[Microsoft]]
=== Cached Credentials ===
=== Cached Credentials ===
* [http://juggernaut.wikidot.com/cached-credentials Cached Credentials], by Juggernaut
* [http://juggernaut.wikidot.com/cached-credentials Cached Credentials], by Juggernaut
=== Persistence keys ===
* [https://digital-forensics.sans.org/blog/2010/10/20/digital-forensics-autorun-registry-keys Digital Forensics: Persistence Registry keys], Dave Hull, October 20, 2010
* [http://journeyintoir.blogspot.ch/2013_04_01_archive.html Plugins: soft_run user_run]], by Corey Harrell, April 17, 2013
* [https://code.google.com/p/regripper/wiki/ASEPs Auto-Start Extensibility Points (ASEPs)], by the [[Regripper|RegRipper project]], April 29, 2013
* [https://github.com/tomchop/volatility-autoruns/blob/master/README.md Volatility autoruns plugin], by the [[Volatility|Volatility project]], April 14, 2015
=== User Assist ===
=== User Assist ===

Revision as of 15:16, 31 October 2015



According to [1]

A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.

However in common usage the term hive often does not imply the supporting files.

According to [2] the origin of the term is bee hives.

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 9x/ME

In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat





Per user:


Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Persistence keys



External Links

Boot Configuration Data (BCD)

Windows 32-bit on Windows 64-bit (WoW64)

Cached Credentials

Persistence keys

User Assist


Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format
  • Registryasxml - Tool to import/export registry sections as XML
  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.
  • Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman


  • Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman