# Windows Registry * [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png) ## Regedit Keys * HKEY_CURRENT_USER (HKCU), inside HKU * HKEY_USERS (HKU) * HKEY_LOCAL_MACHINE (HKLM) * HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU * `HKEY_CURRENT_USER\Software\Classes` for settings of interactive user * `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings * HKEY_CURRENT_CONFIG ## Paths These parts of the registries are called hives. They can be found under the following path. * `C:\Windows\System32\Config` * Default -> `HKEY_USERS\DEFAULT` * SAM -> `HKEY_LOCAL_MACHINE\SAM` * SECURITY -> `HKEY_LOCAL_MACHINE\Security` * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software` * SYSTEM -> `HKEY_LOCAL_MACHINE\System` * `C:\Users\\` * NTUSER.DAT -> `HKEY_CURRENT_USER`, hidden file * `C:\Users\\AppData\Local\Microsoft\Windows` * USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file * `C:\Windows\AppCompat\Programs\Amcache.hve` ### Transaction Logs * Transaction `.LOG` of the registry hive Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered. ### Backups * Saved every ten days * Look out for recently deleted or modified keys * `C:\Windows\System32\Config\RegBack` ## Data Acquisition Multiple tools with their own strengths and weaknesses should be chosen to acquire the registry data, no matter if it is a live or a copied acquisition. Commonly used tools are the following ones. * [Autopsy](https://www.autopsy.com/) * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree. Following parts of EZTools should be taken note of. * Registry Viewer * Zimmerman's Registry Explorer, uses transaction logs as well * AppCompatCache Parser * RegRipper, cli and gui ## System Information * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion` * Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName` * Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation` * Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces` * Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed` * Services -> `SYSTEM\CurrentControlSet\Services` * Service will start at boot with `start` key value `0x02` * Users, SAM -> `SAM\Domains\Account\Users` ### Control Sets * `ControlSet001` -> last boot * `ControlSet002` -> last known good * `HKLM\SYSTEM\CurrentControlSet` -> live * Can be found under: * `SYSTEM\Select\Current` shows the used control set * `SYSTEM\Select\LastKnownGood` ## Autostart Programs * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` * `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` * `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` Run program on login for the current user ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ``` Run program on login for any user ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ``` Run program on login once for the current user ``` HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ``` Run program for on login once for any user ``` HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce ``` ## Recent Files Recently accessed documents can be found under the following path, e.g. xml, pdf, jpg. * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` * Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word` * Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU` ## ShellBags * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags` * `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` ## Last Open/Saved/Visited Dialog MRUs * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU` ## Explorer Address/Search Bars Registry folder which includes paths typed by the user. * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` Registry folder which includes search queries from file explorer. * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` ## User Assist GUI applications launched by the user * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count` ## Shim Cache Application Compatibility, AppCompatCache * `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` * Use `AppCompatCacheParser.exe --csv -f -c ` ### AmCache * Information about recently run applications on the system * `C:\Windows\appcompat\Programs\Amcache.hve` * Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\` * Saves SHA1 of the last executed app ## Background Activity Monitor/Desktop Activity Moderator BAM/DAM * Saves full path of executed apps * `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` * `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}` ## Devices * Identification * USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB` * Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices` * First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064` * Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066` * Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067` ## Tools * [Eric Zimmermann's Registry Explorer](https://ericzimmerman.github.io/#!index.md) * hivedump * hivex * [AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns) to check autorun paths for persistence ```sh Get-Command -Module AutoRuns CommandType Name Version Source ----------- ---- ------- ------ Function Compare-AutoRunsBaseLine 14.0 Aut... Function Get-PSAutorun 14.0 Aut... Function New-AutoRunsBaseLine 14.0 Aut... ``` ## Clean a Dirty Hive A hive which is not closed correctly is called dirty hive. To clean a dirty hive the transaction logfile for the specific hive is needed. The path these logs are stored in is `C:\Windows\System32\config`, they are named after the hive they contain the logs for. These are not listed in the file explorer, even if you have hidden files visible. List them via `dir /a`. If a hive is loaded by a tool and the tool complains about a dirty hive, the transaction log of said hive has to be loaded as well. Extract it via FTK or KAPE alongside the hive itself.