2022-11-12 23:18:06 +01:00
# Windows Registry
2023-01-02 20:28:19 +01:00
* [Windows Forensics Cheat Sheet ](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png )
2022-11-12 23:18:06 +01:00
## Regedit Keys
2024-04-05 16:54:02 +02:00
2022-11-12 23:18:06 +01:00
* HKEY_CURRENT_USER (HKCU), inside HKU
* HKEY_USERS (HKU)
* HKEY_LOCAL_MACHINE (HKLM)
* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
2023-01-02 20:28:19 +01:00
* `HKEY_CURRENT_USER\Software\Classes` for settings of interactive user
2022-11-12 23:18:06 +01:00
* `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
* HKEY_CURRENT_CONFIG
## Paths
2024-04-05 16:54:02 +02:00
2024-04-11 11:17:36 +02:00
These parts of the registries are called hives. They can be found under `C:\Windows\System32\Config` .
* Default -> `HKEY_USERS\DEFAULT`
* SAM contains account names/status/groups, hashed password, login timestamps -> `HKEY_LOCAL_MACHINE\SAM`
* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
* SYSTEM -> `HKEY_LOCAL_MACHINE\System`
2022-11-12 23:18:06 +01:00
* `C:\Users\<username>\`
2024-04-10 12:22:07 +02:00
* NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
2022-11-12 23:18:06 +01:00
* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
* USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES` , hidden file
* `C:\Windows\AppCompat\Programs\Amcache.hve`
2024-04-11 11:17:36 +02:00
* `C:\Windows\security\database\`
* `secedit.sdb` , access control configuration
2022-11-12 23:18:06 +01:00
### Transaction Logs
2024-04-05 16:54:02 +02:00
2022-11-12 23:18:06 +01:00
* Transaction `<name of registry hive>.LOG` of the registry hive
2024-04-05 16:54:02 +02:00
Saved inside the same directory which is `C:\Windows\System32\Config` , as the
hive which was altered.
2022-11-12 23:18:06 +01:00
### Backups
2024-04-05 16:54:02 +02:00
2022-11-12 23:18:06 +01:00
* Saved every ten days
* Look out for recently deleted or modified keys
* `C:\Windows\System32\Config\RegBack`
## Data Acquisition
2024-04-05 16:54:02 +02:00
Multiple tools with their own strengths and weaknesses should be chosen to acquire
the registry data, no matter if it is a live or a copied acquisition. Commonly
used tools are the following ones.
* [Autopsy ](https://www.autopsy.com/ )
* [FTK Imager ](https://www.exterro.com/ftk-imager ), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image
[KAPE ](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape ),
preserves directory tree.
Following parts of EZTools should be taken note of.
* Registry Viewer
* Zimmerman's Registry Explorer, uses transaction logs as well
* AppCompatCache Parser
* RegRipper, cli and gui
2022-11-12 23:18:06 +01:00
## System Information
2024-04-11 11:17:36 +02:00
2022-11-12 23:18:06 +01:00
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
* Services -> `SYSTEM\CurrentControlSet\Services`
* Service will start at boot with `start` key value `0x02`
* Users, SAM -> `SAM\Domains\Account\Users`
### Control Sets
* `ControlSet001` -> last boot
* `ControlSet002` -> last known good
* `HKLM\SYSTEM\CurrentControlSet` -> live
* Can be found under:
* `SYSTEM\Select\Current` shows the used control set
* `SYSTEM\Select\LastKnownGood`
## Autostart Programs
2023-10-10 18:35:57 +02:00
2022-11-12 23:18:06 +01:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
2023-10-10 18:35:57 +02:00
Run program on login for the current user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```
Run program on login for any user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```
Run program on login once for the current user
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
Run program for on login once for any user
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
```
2022-11-12 23:18:06 +01:00
## Recent Files
2024-04-10 12:22:07 +02:00
Recently accessed documents can be found under the following path, e.g. xml,
pdf, jpg.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
2022-11-12 23:18:06 +01:00
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION` , `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
## ShellBags
2024-04-10 12:22:07 +02:00
2024-04-10 16:18:42 +02:00
Use something like shellbag explorer as a tool to display information from shellbags.
2022-11-12 23:18:06 +01:00
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
## Last Open/Saved/Visited Dialog MRUs
2024-04-10 12:22:07 +02:00
2024-04-10 16:18:42 +02:00
Content of dialog windows is stored in the following folders and last
visited/saved paths.
2022-11-12 23:18:06 +01:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
2024-04-10 16:18:42 +02:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastSavedPidlMRU`
2022-11-12 23:18:06 +01:00
## Explorer Address/Search Bars
2024-04-10 12:22:07 +02:00
Registry folder which includes paths typed by the user.
2022-11-12 23:18:06 +01:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
2024-04-10 12:22:07 +02:00
Registry folder which includes search queries from file explorer.
2022-11-12 23:18:06 +01:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
## User Assist
2024-04-10 12:22:07 +02:00
2024-04-10 16:18:42 +02:00
GUI applications launched by the user (and the number of usage) listed by
GUIDs can be found in the following folder.
2024-04-10 12:22:07 +02:00
2022-11-12 23:18:06 +01:00
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
2024-04-11 11:17:36 +02:00
## Network
Network configuration can be found in the following path.
* `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetworkList`
## Domain Account Information
The NT Directory Services `NTDS.dit` hive is an active directory database which contains information about the domain users.
Information stored about the domain users are for example, their full name, the username the Security identifier (SID),(domain & local) group memberships, hashed passwords for user accounts, login timestamps, last set password, expiration time of the current password, security policies, OUs and connections to other domains.
To get information out of the `NTDS.dit` hive, it has to be exported along with the SYSTEM hive to get the boot key of the system for decryption.
Use `ntdsutil` tool to export a snapshot of the information.
```sh
C:\Windows\system32\ntdsutil.exe "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit
```
Export the boot key of the system and use it for decryption.
```sh
$BootKey = Get-BootKey -SystemHivePath 'C:\Windows\Temp\NTDS\registry\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\Windows\Temp\NTDS\NTDS.dit' -BootKey $BootKey
```
2022-11-12 23:18:06 +01:00
## Shim Cache
2024-04-10 12:22:07 +02:00
Application Compatibility, AppCompatCache
2022-11-12 23:18:06 +01:00
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
2024-04-10 16:18:42 +02:00
## AmCache
2022-11-12 23:18:06 +01:00
* Information about recently run applications on the system
* `C:\Windows\appcompat\Programs\Amcache.hve`
* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
* Saves SHA1 of the last executed app
## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
* Saves full path of executed apps
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
## Devices
* Identification
* USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR` , `SYSTEM\CurrentControlSet\Enum\USB`
* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`
2023-02-11 16:58:56 +01:00
## Tools
* [Eric Zimmermann's Registry Explorer ](https://ericzimmerman.github.io/#!index.md )
* hivedump
* hivex
2023-10-10 18:35:57 +02:00
* [AutoRuns ](https://github.com/p0w3rsh3ll/AutoRuns ) to check autorun paths for persistence
```sh
Get-Command -Module AutoRuns
CommandType Name Version Source
----------- ---- ------- ------
Function Compare-AutoRunsBaseLine 14.0 Aut...
Function Get-PSAutorun 14.0 Aut...
Function New-AutoRunsBaseLine 14.0 Aut...
2024-04-05 16:54:02 +02:00
```
2024-04-10 12:22:07 +02:00
## Clean a Dirty Hive
A hive which is not closed correctly is called dirty hive.
To clean a dirty hive the transaction logfile for the specific hive is needed.
The path these logs are stored in is `C:\Windows\System32\config` , they are
named after the hive they contain the logs for. These are not listed in the
file explorer, even if you have hidden files visible. List them via `dir /a` .
2024-04-05 16:54:02 +02:00
If a hive is loaded by a tool and the tool complains about a dirty hive, the
transaction log of said hive has to be loaded as well. Extract it via FTK or
KAPE alongside the hive itself.
