killchain-compendium/Forensics/Windows Registration.md

# Windows Registry

* [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png)

## Regedit Keys
* HKEY_CURRENT_USER (HKCU), inside HKU
* HKEY_USERS (HKU)
* HKEY_LOCAL_MACHINE (HKLM)
* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
    * `HKEY_CURRENT_USER\Software\Classes` for settings of interactive user
    * `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
* HKEY_CURRENT_CONFIG

## Paths
* `C:\Windows\System32\Config`
    * Default -> `HKEY_USERS\DEFAULT`
    * SAM -> `HKEY_LOCAL_MACHINE\SAM`
    * SECURITY -> `HKEY_LOCAL_MACHINE\Security`
    * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
    * SYSTEM -> `HKEY_LOCAL_MACHINE\System`

* `C:\Users\<username>\`
    * NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
    * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file

* `C:\Windows\AppCompat\Programs\Amcache.hve`

### Transaction Logs
* Transaction `<name of registry hive>.LOG` of the registry hive
* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.

### Backups
* Saved every ten days
* Look out for recently deleted or modified keys
* `C:\Windows\System32\Config\RegBack`

## Data Acquisition
* Tools
    * [Autopsy](https://www.autopsy.com/)
    * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
    * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
    * `Registry Viewer`
    * `Zimmerman's Registry Explorer`, uses transaction logs as well
        * ` AppCompatCache Parser`
    * `RegRipper`, cli and gui

## System Information
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
* Services -> `SYSTEM\CurrentControlSet\Services`
    * Service will start at boot with `start` key value `0x02`
* Users, SAM -> `SAM\Domains\Account\Users`


### Control Sets
* `ControlSet001` -> last boot
* `ControlSet002` -> last known good
* `HKLM\SYSTEM\CurrentControlSet` -> live 

* Can be found under:
    * `SYSTEM\Select\Current` shows the used control set
    * `SYSTEM\Select\LastKnownGood`

## Autostart Programs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`

## Recent Files
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`

## ShellBags
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`

## Last Open/Saved/Visited Dialog MRUs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`

## Explorer Address/Search Bars
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`

## User Assist
* GUI applications launched by the user
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`

## Shim Cache
* Application Compatibility, AppCompatCache
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`

### AmCache
* Information about recently run applications on the system
* `C:\Windows\appcompat\Programs\Amcache.hve`
* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
* Saves SHA1 of the last executed app

## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
* Saves full path of executed apps
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`

## Devices
* Identification
    * USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`


## Tools

* [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md)
* hivedump
* hivex