The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV. The content of this presentation reflects the opinion of the author.

Registry Description

•Registry is like the central nervous system of a human body

•It stores information to be available when needed by Windows, during a system’s operation

•According to Microsoft, Registry is a central hierarchical database of settings

•what kind of information is actually stored there?

•There…. where?

•And is it of forensic interest?

Registry Information

•User Specific Information

•System Specific Information

•Application Specific Information

Registry’s Structure

• Regedit

Key

Subkeys

Physically, Windows organizes the registry as hives stored in binary files. In addition, for each hive, the OS creates additional files that contain backup copies of the hive.

Physically, hives exist only in two root keys: HKLM and HKU. The rest are links to the sub keys of these two root keys.

The list of loaded hives is in the registry section HKLM\SYSTEM\ CurrentControlSet\Control\hivelist.

You may notice that in this key values are written with the names of two types: \ REGISTRY \ MACHINE \ * and \ REGISTRY \ USER \ *.

The first group refers to the HKLM hives, and the second to the HKU hives. The values of both groups are of string type and contain the path to the hive file of the form \ Device \ HarddiskVolumeN \ *, where \ Device \ HarddiskVolumeN denotes the logical partition of the disk.

Registry root keys:

-HKEY_CLASSES_ROOT (HKCR) contains information about all file extensions registered in the system, and about object classes. It is a combination of HKLM \ Software \ Classes and HKCU \ Software \ Classes keys, with the higher priority being the value written in the last key (that is, if both keys have the same value, then the value from HKCU \ Software \ Classes is written to the same key);

-HKEY_CURRENT_USER (HKCU) contains the parameters of printers, software, keyboard layouts and other settings for the logged in user. It is a link to the HKU \ SID of the logged in user;

-HKEY_LOCAL_MACHINE (HKLM) contains computer settings that are common to all users: hardware and software settings, security settings, system settings;

-HKEY_USERS (HKU) contains user settings. This key contains

-minimum 5 subkeys: settings before logging in under some account (.DEFAULT),

-LocalSystem account (S-1-5-18), LocalService (S-1-5-19), NetworkService (S-1-5-20) and Administrator;

-HKEY_CURRENT_CONFIG (HKCC) is a reference to the key HKLM \ SYSTEM \ CurrentControlSet \ Hardware Profiles \ Current. Contains the configuration data of the current equipment profile.

HKEY_LOCAL_MACHINE

SAM and SECURITY contain the local security database, the first key contains local users and groups, and the second contains other security settings.

SOFTWARE contains application settings (and some system). Most often the data is stored in keys with the path of the following: HKLM \ SOFTWARE \ VendorName \ ProgramName \ Version.

SYSTEM stores system settings; keys of the form HKLM \ SYSTEM \ ControlSetNNN store settings of various configurations. Most often, there are 2 configurations in the systems (current and last successful), but there can be up to four configurations in total.

HKLM \ SYSTEM \ CurrentControlSet is a link to one of the profiles, and the content of the HKLM \ SYSTEM \ Select key indicates which of the profiles is current.

HKEY_LOCAL_MACHINE -HKML

• location in a running Windows 7, 10 OS computer

HKEY_LOCAL_MACHINE -HKML

•Examining a Non-Live Registry – Forensic Image of a Windows 7,10 computer