Difference between revisions of "Windows Registry"

From ForensicsWiki
Jump to: navigation, search
(Winlogon and Credential Providers)
Line 441: Line 441:
 
|-
 
|-
 
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonNotify
 +
|-
 +
| <b>Key path(s)</b>
 
|  
 
|  
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
 +
|-
 +
| <b>Value name(s)</b>
 +
| *
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Shell
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonShell
 
|-
 
|-
 
| <b>Key path(s)</b>
 
| <b>Key path(s)</b>
 
|  
 
|  
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
|-
 
|-
 
| <b>Value name(s)</b>
 
| <b>Value name(s)</b>
 +
| Shell
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon System
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonSystem
 +
|-
 +
| <b>Key path(s)</b>
 
|  
 
|  
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| System
 +
|-
 +
| <b>Additional information</b>
 +
|
 +
|}
 +
 +
{| class="wikitable"
 +
|-
 +
| <b>Description</b>
 +
| Winlogon Userinit
 +
|-
 +
| <b>[http://forensicswiki.org/wiki/Artifacts Artifact name]</b>
 +
| WindowsWinlogonUserinit
 +
|-
 +
| <b>Key path(s)</b>
 +
|
 +
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
* HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 +
|-
 +
| <b>Value name(s)</b>
 +
| Userinit
 
|-
 
|-
 
| <b>Additional information</b>
 
| <b>Additional information</b>

Revision as of 09:40, 1 November 2015

Terminology

Hive

According to [1]

A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.

However in common usage the term hive often does not imply the supporting files.

According to [2] the origin of the term is bee hives.

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 9x/ME

In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (CREG) format.

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings

special characters key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Persistence keys

The following lists are loosely based of:

Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS

Command Processor (cmd.exe)

Description Command Processor Auto Run
Artifact name WindowsCommandProcessorAutoRun
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor
Value name(s) AutoRun
Additional information Command Processor\AutoRun

Internet Explorer

Description Browser Helper Objects
Artifact name InternetExplorerBrowserHelperObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
Value name(s) *
Additional information

Local Security Authority (LSA)

Description Local Security Authority (LSA) Authentication Packages
Artifact name WindowsLSAAuthenticationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Authentication Packages
Additional information
Description Local Security Authority (LSA) Notification Packages
Artifact name WindowsLSANotificationPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Notification Packages
Additional information
Description Local Security Authority (LSA) Security Packages
Artifact name WindowsLSASecurityPackages
Key path(s)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig
Value name(s) Security Packages
Additional information

Run keys

Description Run keys
Artifact name WindowsRunKeys
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
Value name(s) *
Additional information
Description Run services keys
Artifact name WindowsRunServices
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*
Value name(s) *
Additional information

Windows shell (explorer.exe)

Description Shell Icon Overlay Identifiers
Artifact name WindowsShellIconOverlayIdentifiers
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
Value name(s) *
Additional information
Description Shell Extensions
Artifact name WindowsShellExtensions
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Value name(s) *
Additional information
Description Shell Execute Hooks
Artifact name WindowsShellExecuteHooks
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
Value name(s) *
Additional information
Description Shell Service Object Delay Load
Artifact name WindowsShellServiceObjects
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value name(s) *
Additional information TrojanClicker:Win32/Zirit.X

Session Manager

Description Session Manager Execute
Artifact name
  • WindowsSessionManagerBootExecute
  • WindowsSessionManagerExecute
  • WindowsSessionManagerSetupExecute
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
Value name(s)
  • BootExecute
  • Execute
  • SetupExecute
Additional information

Winlogon and Credential Providers

Description Credential Provider Filters
Artifact name WindowsCredentialProviderFilters
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Credential Providers
Artifact name WindowsCredentialProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
Value name(s) *
Additional information Capturing Windows 7 Credential at logon using custom credential provider
Description Pre-Logon Access Provider (PLAP) Providers
Artifact name WindowsPLAPProviders
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
Value name(s) *
Additional information
Description Winlogon Notify
Artifact name WindowsWinlogonNotify
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Value name(s) *
Additional information
Description Winlogon Shell
Artifact name WindowsWinlogonShell
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Shell
Additional information
Description Winlogon System
Artifact name WindowsWinlogonSystem
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) System
Additional information
Description Winlogon Userinit
Artifact name WindowsWinlogonUserinit
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name(s) Userinit
Additional information

Unsorted

Description Active Setup - Installed Components
Artifact name WindowsStubPaths
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*
  • HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\*
Value name(s) StubPath
Additional information
Description Application Initial (AppInit) DLLs persistence
Artifact name WindowsAppInitDLLs
Key path(s)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Value name(s) AppInit_DLLs
Additional information
Description Debugger (sub)keys
Artifact name
Key path(s)
Value name(s)
Additional information
Description Policies, Startup/Shutdown and Logon/Logoff scripts
Artifact name
Key path(s)
Value name(s)
Additional information
Description Protocol filters and handlers
Artifact name
Key path(s)
Value name(s)
Additional information
Description Context menu shell extensions
Artifact name
Key path(s)
Value name(s)
Additional information
Description Executable file type
Artifact name
Key path(s)
Value name(s)
Additional information
Description System/Group Policies
Artifact name
Key path(s)
Value name(s)
Additional information
Description Wallpaper and Screen Saver
Artifact name
Key path(s)
Value name(s)
Additional information

Bibliography

Undated

External Links

Boot Configuration Data (BCD)

Windows 32-bit on Windows 64-bit (WoW64)

Cached Credentials

Persistence keys

User Assist

Tools

Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Daniel Gillen
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format
  • Registryasxml - Tool to import/export registry sections as XML
  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.
  • Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman

Freeware

  • Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives by @EricZimmerman

Commercial