whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added information about paths

This commit is contained in:
Stefan Friese 2024-04-10 10:22:07 +00:00
parent 8270936b02
commit ad3a545eee
1 changed files with 31 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Forensics/Windows Registration.md
View File

@ -14,6 +14,9 @@
## Paths ## Paths
These parts of the registries are called hives. They can be found under the
following path.
* `C:\Windows\System32\Config` * `C:\Windows\System32\Config`
* Default -> `HKEY_USERS\DEFAULT` * Default -> `HKEY_USERS\DEFAULT`
* SAM -> `HKEY_LOCAL_MACHINE\SAM` * SAM -> `HKEY_LOCAL_MACHINE\SAM`
@ -112,32 +115,48 @@ Run program for on login once for any user
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
``` ```
## Recent Files ## Recent Files
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
Recently accessed documents can be found under the following path, e.g. xml,
pdf, jpg.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` * Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU` * Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
## ShellBags ## ShellBags
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags` * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
## Last Open/Saved/Visited Dialog MRUs ## Last Open/Saved/Visited Dialog MRUs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
## Explorer Address/Search Bars ## Explorer Address/Search Bars
Registry folder which includes paths typed by the user.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
Registry folder which includes search queries from file explorer.
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
## User Assist ## User Assist
* GUI applications launched by the user
GUI applications launched by the user
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count` * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
## Shim Cache ## Shim Cache
* Application Compatibility, AppCompatCache
Application Compatibility, AppCompatCache
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` * `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>` * Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
@ -160,7 +179,6 @@ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066` * Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067` * Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`
## Tools ## Tools
* [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md) * [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md)
@ -184,7 +202,13 @@ Function Get-PSAutorun 14.0 Au
Function New-AutoRunsBaseLine 14.0 Aut... Function New-AutoRunsBaseLine 14.0 Aut...
``` ```
### Clean a Dirty Hive ## Clean a Dirty Hive
A hive which is not closed correctly is called dirty hive.
To clean a dirty hive the transaction logfile for the specific hive is needed.
The path these logs are stored in is `C:\Windows\System32\config`, they are
named after the hive they contain the logs for. These are not listed in the
file explorer, even if you have hidden files visible. List them via `dir /a`.
If a hive is loaded by a tool and the tool complains about a dirty hive, the If a hive is loaded by a tool and the tool complains about a dirty hive, the
transaction log of said hive has to be loaded as well. Extract it via FTK or transaction log of said hive has to be loaded as well. Extract it via FTK or