The Windows Registry

Please read pp. 126-189 of WF.

Also, look at the article Inside the Registry by Russinovich.

From WF, page 126:

"To most administrators and forensic analysts, the Registryprobably looks the entrance to a dark, forbidding cave on the landscape of the Windows operating system. Others might see the Registry as a dark door at the end of a long hallway, with the words "abandon hope, all ye who enter here" scrawled on it. The truth is that the Registry is a veritable gold mind of information for both the administrator and the forensics investigator.

Why? Well, one reason is that Windows is simply not tidy with respect to the Registry. Some information found in the Registry is old and even inconsistent, but that provides us sometimes useful historical information.

The Anatomy of the Window Registry

The Wikipedia article Windows Registry and WF on page 129 list the system registry files and associated hives in the NT world:

The Anatomy of the Registry

On a per-user basis, you can find the user profile "NTUSER.DAT" file in different locations:

The Anatomy of the Registry

There are also two "volatile" hives created on-the-fly, which you will only be to examine from a live machine or an image of a live machine:

The Guts of the Registry

Each registry entry is a key-value pair. The data types supported for values are

Looking at the raw registry

WF goes into quite a bit of detail on pages 130-135 about how the registry is physically constructed. The important items to take away from this are:

Spotting changes

WF lists the program InControl5 as a particularly powerful program for making snapshots.

Regmon has been superceded by "Process Monitor". It might prove useful when watching a system, but the registry information is copious and not as easy to filter as one would like.

What all can we try to extract?

System information:

What all can we try to extract?

Timezone: It's critical to note that logs generally show local time, but system activities are generally done in UTC.

What all can we try to extract?


What all can we try to extract?

Audit policy: what do we expect to find in the logs?

What all can we try to extract?

Wireless SSIDs: yes, even wireless SSIDs can be stored in


What all can we try to extract?

Autostart locations: these are one of the favorite places for malware to obscure autostartup processes.

What all can we try to extract?

User Activity:

What all can we try to extract?

USB removable storage:

What all can we try to extract?

Mounted devices:

The registry and users

Recent Documents

Network Drives

You can also look at Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU and Software\Microsft\Windows\CurrentVersion\MountPoints2 to see what network drives have been mapped. You can alsofind IP addresses in Softare\Microsfot\Windows\CurrentVersion\Explorer\ComputerDescriptions.

P2P and IM

These are popular (and prominently used for malware propagation); it's certainly worth looking at the registry to see what you can see, but every program is going to use different keys and standards for values.

Restore Points

The most important keys to remembering about Windows restore points (1) they don't always get made, so not having current restore points is not necessarily due to malicious behavior (2) installation of software (even malware) can trigger the creation of a new restore point, a very handy feature for finding what might have been installed recently.