The Windows Registry

Please look at the article Inside the Registry by Russinovich.

From WFA, page 158:

"To most administrators and forensic analysts, the Registry probably looks like the entrance to a dark, forbidding cave on the landscape of the Windows operating system. Others might see the Registry as a dark door at the end of a long hallway, with the words "abandon hope, all ye who enter here" scrawled on it. The truth is that the Registry is a veritable gold mine of information for both the administrator and the forensics investigator."

Why? Well, one reason is that Windows is not tidy with respect to the Registry. Some information found in the Registry is old and even inconsistent, but that might sometimes provide us useful (if potentially confusing) historical information.

The Anatomy of the Window Registry

The Wikipedia article Windows Registry and WF on page 129 list these system registry files and associated hives::

The Anatomy of the Registry

On a per-user basis, you can find the user profile "NTUSER.DAT" file in different locations:


The Anatomy of the Registry

There are also "volatile" hives created on-the-fly, which you will only be to examine from a live machine or an image of a live machine:

Via powershell

Via powershell

The Guts of the Registry

Each registry entry is a key-value pair. The data types supported for values are

Registry via regedit example

Looking at the raw registry

WF goes into quite a bit of detail on pages 130-135 about how the registry is physically constructed. The important items to take away from this are:

Spotting changes

Sysinternals Regmon has been superseded by "Process Monitor". It might prove useful when watching a system, but the registry information is copious and not as easy to filter as one would like.

What all can we try to extract?

System information:

What all can we try to extract?

Timezone: It's critical to note that logs generally show local time, but system activities are generally done in UTC.

What all can we try to extract?


What all can we try to extract?

Audit policy: what do we expect to find in the logs?

What all can we try to extract?

Wireless SSIDs: yes, even wireless SSIDs can be stored in


What all can we try to extract?

Autostart locations: these are one of the favorite places for malware to obscure autostartup processes.

What all can we try to extract?

User Activity:

What all can we try to extract?

USB removable storage:

What all can we try to extract?

Mounted devices:

The registry and users

Recent Documents

Network Drives

You can also look at Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU and Software\Microsft\Windows\CurrentVersion\MountPoints2 to see what network drives have been mapped. You can alsofind IP addresses in Softare\Microsfot\Windows\CurrentVersion\Explorer\ComputerDescriptions.

P2P and IM

These are popular (and prominently used for malware propagation); it's certainly worth looking at the registry to see what you can see, but every program is going to use different keys and standards for values.

Restore Points

The most important keys to remembering about Windows restore points (1) they don't always get made, so not having current restore points is not necessarily due to malicious behavior (2) installation of software (even malware) can trigger the creation of a new restore point, a very handy feature for finding what might have been installed recently.