# Windows Registry * [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png) ## Regedit Keys * HKEY_CURRENT_USER (HKCU), inside HKU * HKEY_USERS (HKU) * HKEY_LOCAL_MACHINE (HKLM) * HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU * `HKEY_CURRENT_USER\Software\Classes` for settings of interactive user * `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings * HKEY_CURRENT_CONFIG ## Paths These parts of the registries are called hives. They can be found under `C:\Windows\System32\Config`. * Default -> `HKEY_USERS\DEFAULT` * SAM contains account names/status/groups, hashed password, login timestamps -> `HKEY_LOCAL_MACHINE\SAM` * SECURITY -> `HKEY_LOCAL_MACHINE\Security` * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software` * SYSTEM -> `HKEY_LOCAL_MACHINE\System` * `C:\Users\\` * NTUSER.DAT -> `HKEY_CURRENT_USER`, hidden file * `C:\Users\\AppData\Local\Microsoft\Windows` * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file * `C:\Windows\AppCompat\Programs\Amcache.hve` * `C:\Windows\security\database\` * `secedit.sdb`, access control configuration ### Transaction Logs * Transaction `.LOG` of the registry hive Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered. ### Backups * Saved every ten days * Look out for recently deleted or modified keys * `C:\Windows\System32\Config\RegBack` ## Data Acquisition Multiple tools with their own strengths and weaknesses should be chosen to acquire the registry data, no matter if it is a live or a copied acquisition. Commonly used tools are the following ones. * [Autopsy](https://www.autopsy.com/) * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree. Following parts of EZTools should be taken note of. * Registry Viewer * Zimmerman's Registry Explorer, uses transaction logs as well * AppCompatCache Parser * RegRipper, cli and gui ## System Information * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion` * Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName` * Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation` * Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces` * Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed` * Services -> `SYSTEM\CurrentControlSet\Services` * Service will start at boot with `start` key value `0x02` * Users, SAM -> `SAM\Domains\Account\Users` ### Control Sets * `ControlSet001` -> last boot * `ControlSet002` -> last known good * `HKLM\SYSTEM\CurrentControlSet` -> live * Can be found under: * `SYSTEM\Select\Current` shows the used control set * `SYSTEM\Select\LastKnownGood` ## Autostart Programs * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` * `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` Run program on login for the current user ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ``` Run program on login for any user ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ``` Run program on login once for the current user ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ``` Run program for on login once for any user ``` HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce ``` ## Recent Files Recently accessed documents can be found under the following path, e.g. xml, pdf, jpg. * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` * Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` * Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU` ## ShellBags Use something like shellbag explorer as a tool to display information from shellbags. * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags` * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` ## Last Open/Saved/Visited Dialog MRUs Content of dialog windows is stored in the following folders and last visited/saved paths. * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastSavedPidlMRU` ## Explorer Address/Search Bars Registry folder which includes paths typed by the user. * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` Registry folder which includes search queries from file explorer. * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` ## User Assist GUI applications launched by the user (and the number of usage) listed by GUIDs can be found in the following folder. * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count` ## Network Network configuration can be found in the following path. * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetworkList` ## Domain Account Information The NT Directory Services `NTDS.dit` hive is an active directory database which contains information about the domain users. Information stored about the domain users are for example, their full name, the username the Security identifier (SID),(domain & local) group memberships, hashed passwords for user accounts, login timestamps, last set password, expiration time of the current password, security policies, OUs and connections to other domains. To get information out of the `NTDS.dit` hive, it has to be exported along with the SYSTEM hive to get the boot key of the system for decryption. Use `ntdsutil` tool to export a snapshot of the information. ```sh C:\Windows\system32\ntdsutil.exe "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit ``` Export the boot key of the system and use it for decryption. ```sh $BootKey = Get-BootKey -SystemHivePath 'C:\Windows\Temp\NTDS\registry\SYSTEM' Get-ADDBAccount -All -DBPath 'C:\Windows\Temp\NTDS\NTDS.dit' -BootKey $BootKey ``` ## Shim Cache Application Compatibility, AppCompatCache * `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` * Use `AppCompatCacheParser.exe --csv -f -c ` ## AmCache * Information about recently run applications on the system * `C:\Windows\appcompat\Programs\Amcache.hve` * Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\` * Saves SHA1 of the last executed app ## Background Activity Monitor/Desktop Activity Moderator BAM/DAM * Saves full path of executed apps * `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` * `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}` ## Devices * Identification * USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB` * Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices` * First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064` * Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066` * Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067` ## Tools * [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md) * hivedump * hivex * [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence ```sh Get-Command -Module AutoRuns CommandType Name Version Source ----------- ---- ------- ------ Function Compare-AutoRunsBaseLine 14.0 Aut... Function Get-PSAutorun 14.0 Aut... Function New-AutoRunsBaseLine 14.0 Aut... ``` ## Clean a Dirty Hive A hive which is not closed correctly is called dirty hive. To clean a dirty hive the transaction logfile for the specific hive is needed. The path these logs are stored in is `C:\Windows\System32\config`, they are named after the hive they contain the logs for. These are not listed in the file explorer, even if you have hidden files visible. List them via `dir /a`. If a hive is loaded by a tool and the tool complains about a dirty hive, the transaction log of said hive has to be loaded as well. Extract it via FTK or KAPE alongside the hive itself.