killchain-compendium/Forensics/Windows Registration.md

# Windows Registry

* [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png)

## Regedit Keys
* HKEY_CURRENT_USER (HKCU), inside HKU
* HKEY_USERS (HKU)
* HKEY_LOCAL_MACHINE (HKLM)
* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
    * `HKEY_CURRENT_USER\Software\Classes` for settings of interactive user
    * `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
* HKEY_CURRENT_CONFIG

## Paths
* `C:\Windows\System32\Config`
    * Default -> `HKEY_USERS\DEFAULT`
    * SAM -> `HKEY_LOCAL_MACHINE\SAM`
    * SECURITY -> `HKEY_LOCAL_MACHINE\Security`
    * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
    * SYSTEM -> `HKEY_LOCAL_MACHINE\System`

* `C:\Users\<username>\`
    * NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
    * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file

* `C:\Windows\AppCompat\Programs\Amcache.hve`

### Transaction Logs
* Transaction `<name of registry hive>.LOG` of the registry hive
* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.

### Backups
* Saved every ten days
* Look out for recently deleted or modified keys
* `C:\Windows\System32\Config\RegBack`

## Data Acquisition
* Tools
    * [Autopsy](https://www.autopsy.com/)
    * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
    * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
    * `Registry Viewer`
    * `Zimmerman's Registry Explorer`, uses transaction logs as well
        * ` AppCompatCache Parser`
    * `RegRipper`, cli and gui

## System Information
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
* Services -> `SYSTEM\CurrentControlSet\Services`
    * Service will start at boot with `start` key value `0x02`
* Users, SAM -> `SAM\Domains\Account\Users`


### Control Sets
* `ControlSet001` -> last boot
* `ControlSet002` -> last known good
* `HKLM\SYSTEM\CurrentControlSet` -> live 

* Can be found under:
    * `SYSTEM\Select\Current` shows the used control set
    * `SYSTEM\Select\LastKnownGood`

## Autostart Programs

* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`

Run program on login for the current user

```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```

Run program on login for any user

```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
```

Run program on login once for the current user

```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
```

Run program for on login once for any user

```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
```


## Recent Files
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`

## ShellBags
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`

## Last Open/Saved/Visited Dialog MRUs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`

## Explorer Address/Search Bars
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`

## User Assist
* GUI applications launched by the user
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`

## Shim Cache
* Application Compatibility, AppCompatCache
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`

### AmCache
* Information about recently run applications on the system
* `C:\Windows\appcompat\Programs\Amcache.hve`
* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
* Saves SHA1 of the last executed app

## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
* Saves full path of executed apps
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`

## Devices
* Identification
    * USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`


## Tools

* [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md)
* hivedump
* hivex
* [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence

```sh
Get-Command -Module AutoRuns


CommandType     Name                                               Version    Source

-----------     ----                                               -------    ------

Function        Compare-AutoRunsBaseLine                           14.0       Aut...

Function        Get-PSAutorun                                      14.0       Aut...

Function        New-AutoRunsBaseLine                               14.0       Aut...
further restructuring 2022-11-12 23:18:06 +01:00			`# Windows Registry`

added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			`* [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png)`

further restructuring 2022-11-12 23:18:06 +01:00			`## Regedit Keys`
			`* HKEY_CURRENT_USER (HKCU), inside HKU`
			`* HKEY_USERS (HKU)`
			`* HKEY_LOCAL_MACHINE (HKLM)`
			`* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU`
added cheat sheet to windows forensics 2023-01-02 20:28:19 +01:00			* `HKEY_CURRENT_USER\Software\Classes` for settings of interactive user
further restructuring 2022-11-12 23:18:06 +01:00			* `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
			`* HKEY_CURRENT_CONFIG`

			`## Paths`
			* `C:\Windows\System32\Config`
			* Default -> `HKEY_USERS\DEFAULT`
			* SAM -> `HKEY_LOCAL_MACHINE\SAM`
			* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
			* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
			* SYSTEM -> `HKEY_LOCAL_MACHINE\System`

			* `C:\Users\<username>\`
			* NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
			* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
			* USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file

			* `C:\Windows\AppCompat\Programs\Amcache.hve`

			`### Transaction Logs`
			* Transaction `<name of registry hive>.LOG` of the registry hive
			* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.

			`### Backups`
			`* Saved every ten days`
			`* Look out for recently deleted or modified keys`
			* `C:\Windows\System32\Config\RegBack`

			`## Data Acquisition`
			`* Tools`
			`* [Autopsy](https://www.autopsy.com/)`
			* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
			`* [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree`
			* `Registry Viewer`
			* `Zimmerman's Registry Explorer`, uses transaction logs as well
			* ` AppCompatCache Parser`
			* `RegRipper`, cli and gui

			`## System Information`
			* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
			* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
			* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
			* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
			* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
			* Services -> `SYSTEM\CurrentControlSet\Services`
			* Service will start at boot with `start` key value `0x02`
			* Users, SAM -> `SAM\Domains\Account\Users`


			`### Control Sets`
			* `ControlSet001` -> last boot
			* `ControlSet002` -> last known good
			* `HKLM\SYSTEM\CurrentControlSet` -> live

			`* Can be found under:`
			* `SYSTEM\Select\Current` shows the used control set
			* `SYSTEM\Select\LastKnownGood`

			`## Autostart Programs`
Powershell and registry additions 2023-10-10 18:35:57 +02:00
further restructuring 2022-11-12 23:18:06 +01:00			* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
			* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
			* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
			* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
			* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`

Powershell and registry additions 2023-10-10 18:35:57 +02:00			`Run program on login for the current user`

			```
			`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run`
			```

			`Run program on login for any user`

			```
			`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run`
			```

			`Run program on login once for the current user`

			```
			`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce`
			```

			`Run program for on login once for any user`

			```
			`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce`
			```


further restructuring 2022-11-12 23:18:06 +01:00			`## Recent Files`
			* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
			* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
			* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`

			`## ShellBags`
			* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
			* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
			* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
			* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`

			`## Last Open/Saved/Visited Dialog MRUs`
			* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
			* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`

			`## Explorer Address/Search Bars`
			* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
			* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`

			`## User Assist`
			`* GUI applications launched by the user`
			* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`

			`## Shim Cache`
			`* Application Compatibility, AppCompatCache`
			* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
			* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`

			`### AmCache`
			`* Information about recently run applications on the system`
			* `C:\Windows\appcompat\Programs\Amcache.hve`
			* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
			`* Saves SHA1 of the last executed app`

			`## Background Activity Monitor/Desktop Activity Moderator BAM/DAM`
			`* Saves full path of executed apps`
			* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
			* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`

			`## Devices`
			`* Identification`
			* USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
			* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
			* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
			* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
			* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`
added Wfuzz DNS to Enumeration/Websites.md 2023-02-11 16:58:56 +01:00

			`## Tools`

			`* [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md)`
			`* hivedump`
			`* hivex`
Powershell and registry additions 2023-10-10 18:35:57 +02:00			`* [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence`

			```sh
			`Get-Command -Module AutoRuns`



			`CommandType Name Version Source`

			`----------- ---- ------- ------`

			`Function Compare-AutoRunsBaseLine 14.0 Aut...`

			`Function Get-PSAutorun 14.0 Aut...`

			`Function New-AutoRunsBaseLine 14.0 Aut...`