Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
(Persistence keys)
(Persistence keys)
Line 144: Line 144:
 
| <b>Value name(s)</b>
 
| <b>Value name(s)</b>
 
| *
 
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
=== Local Security Authority (LSA) ===
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Authentication Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSAAuthenticationPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Authentication Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Notification Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSANotificationPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Notification Packages
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Local Security Authority (LSA) Security Packages
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsLSASecurityPackages
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 +
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 +
|-
 +
| <b>Value name(s)</b>
 +
| Security Packages
 
|-
 
|-
 
| <b>Additional information</b>
 
| <b>Additional information</b>
Line 294: Line 356:
 
| <b>Additional information</b>
 
| <b>Additional information</b>
 
| [http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2 TrojanClicker:Win32/Zirit.X]
 
| [http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:Win32/Zirit.X#tab=2 TrojanClicker:Win32/Zirit.X]
|}
 
 
=== Local Security Authority (LSA) ===
 
 
{| class="wikitable"
 
|-
 
| <b>Description</b>
 
| Local Security Authority (LSA) Authentication Packages
 
|-
 
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 
| WindowsLSAAuthenticationPackages
 
|-
 
| <b>Key path(s)</b>
 
|
 
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 
|-
 
| <b>Value name(s)</b>
 
| Authentication Packages
 
|-
 
| <b>Additional information</b>
 
|
 
|}
 
 
{| class="wikitable"
 
|-
 
| <b>Description</b>
 
| Local Security Authority (LSA) Notification Packages
 
|-
 
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 
| WindowsLSANotificationPackages
 
|-
 
| <b>Key path(s)</b>
 
|
 
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 
|-
 
| <b>Value name(s)</b>
 
| Notification Packages
 
|-
 
| <b>Additional information</b>
 
|
 
|}
 
 
{| class="wikitable"
 
|-
 
| <b>Description</b>
 
| Local Security Authority (LSA) Security Packages
 
|-
 
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 
| WindowsLSASecurityPackages
 
|-
 
| <b>Key path(s)</b>
 
|
 
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
 
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
 
|-
 
| <b>Value name(s)</b>
 
| Security Packages
 
|-
 
| <b>Additional information</b>
 
|
 
 
|}
 
|}
  

Revision as of 08:43, 1 November 2015

Terminology

Hive

According to [1]

A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.

However in common usage the term hive often does not imply the supporting files.

According to [2] the origin of the term is bee hives.

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 9x/ME

In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Keys

Run/RunOnce

System-wide:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Per user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Persistence keys

Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS

Command Processor (cmd.exe)

Description Command Processor Auto Run
Artifact name WindowsCommandProcessorAutoRun
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
Value name(s) AutoRun
Additional information Command Processor\AutoRun

Internet Explorer

Description Browser Helper Objects
Artifact name InternetExplorerBrowserHelperObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
Value name(s) *
Additional information

Local Security Authority (LSA)

Description Local Security Authority (LSA) Authentication Packages
Artifact name WindowsLSAAuthenticationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Authentication Packages
Additional information
Description Local Security Authority (LSA) Notification Packages
Artifact name WindowsLSANotificationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Notification Packages
Additional information
Description Local Security Authority (LSA) Security Packages
Artifact name WindowsLSASecurityPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Security Packages
Additional information

Run keys

Description Run keys
Artifact name WindowsRunKeys
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
Value name(s) *
Additional information
Description Run services keys
Artifact name WindowsRunServices
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
Value name(s) *
Additional information

Windows shell (explorer.exe)

Description Shell Icon Overlay Identifiers
Artifact name WindowsShellIconOverlayIdentifiers
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
Value name(s) *
Additional information
Description Shell Extensions
Artifact name WindowsShellExtensions
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value name(s) *
Additional information
Description Shell Execute Hooks
Artifact name WindowsShellExecuteHooks
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
Value name(s) *
Additional information
Description Shell Service Object Delay Load
Artifact name WindowsShellServiceObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value name(s) *
Additional information TrojanClicker:Win32/Zirit.X

Unsorted

Description Active Setup - Installed Components
Artifact name WindowsStubPaths
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*
  • HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*
Value name(s) StubPath
Additional information
Description Application Initial (AppInit) DLLs persistence
Artifact name WindowsAppInit
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s) AppInit_DLLs
Additional information
Description Credential Provider Filters
Artifact name
Key path(s)
Value name(s)
Additional information
Description Winlogon Notify
Artifact name
Key path(s)
Value name(s)
Additional information
Description Debugger (sub)keys
Artifact name
Key path(s)
Value name(s)
Additional information
Description Policies, Startup/Shutdown and Logon/Logoff scripts
Artifact name
Key path(s)
Value name(s)
Additional information


Description Protocol filters and handlers
Artifact name
Key path(s)
Value name(s)
Additional information
Description Context menu shell extensions
Artifact name
Key path(s)
Value name(s)
Additional information
Description Executable file type
Artifact name
Key path(s)
Value name(s)
Additional information
Description System/Group Policies
Artifact name
Key path(s)
Value name(s)
Additional information
Description Wallpaper and Screen Saver
Artifact name
Key path(s)
Value name(s)
Additional information

Bibliography

Undated

External Links

Boot Configuration Data (BCD)

Windows 32-bit on Windows 64-bit (WoW64)

Cached Credentials

Persistence keys

User Assist

Tools

Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format
  • Registryasxml - Tool to import/export registry sections as XML
  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.
  • Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman

Freeware

  • Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman

Commercial