diff --git a/Forensics/Windows Registration.md b/Forensics/Windows Registration.md index 7e861b2..bf8a12c 100644 --- a/Forensics/Windows Registration.md +++ b/Forensics/Windows Registration.md @@ -14,6 +14,9 @@ ## Paths +These parts of the registries are called hives. They can be found under the +following path. + * `C:\Windows\System32\Config` * Default -> `HKEY_USERS\DEFAULT` * SAM -> `HKEY_LOCAL_MACHINE\SAM` @@ -22,7 +25,7 @@ * SYSTEM -> `HKEY_LOCAL_MACHINE\System` * `C:\Users\\` - * NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file + * NTUSER.DAT -> `HKEY_CURRENT_USER`, hidden file * `C:\Users\\AppData\Local\Microsoft\Windows` * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file @@ -112,32 +115,48 @@ Run program for on login once for any user HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce ``` - ## Recent Files -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg + +Recently accessed documents can be found under the following path, e.g. xml, +pdf, jpg. + +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` + * Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` * Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU` ## ShellBags + * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags` * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` ## Last Open/Saved/Visited Dialog MRUs + * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU` ## Explorer Address/Search Bars + +Registry folder which includes paths typed by the user. + * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` + +Registry folder which includes search queries from file explorer. + * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` ## User Assist -* GUI applications launched by the user + +GUI applications launched by the user + * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count` ## Shim Cache -* Application Compatibility, AppCompatCache + +Application Compatibility, AppCompatCache + * `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` * Use `AppCompatCacheParser.exe --csv -f -c ` @@ -160,7 +179,6 @@ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce * Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066` * Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067` - ## Tools * [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md) @@ -184,7 +202,13 @@ Function Get-PSAutorun 14.0 Au Function New-AutoRunsBaseLine 14.0 Aut... ``` -### Clean a Dirty Hive +## Clean a Dirty Hive + +A hive which is not closed correctly is called dirty hive. +To clean a dirty hive the transaction logfile for the specific hive is needed. +The path these logs are stored in is `C:\Windows\System32\config`, they are +named after the hive they contain the logs for. These are not listed in the +file explorer, even if you have hidden files visible. List them via `dir /a`. If a hive is loaded by a tool and the tool complains about a dirty hive, the transaction log of said hive has to be loaded as well. Extract it via FTK or