killchain-compendium/Forensics/Windows Registration.md

Windows Registry

• Windows Forensics Cheat Sheet

Regedit Keys

• HKEY_CURRENT_USER (HKCU), inside HKU
• HKEY_USERS (HKU)
• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
  • HKEY_CURRENT_USER\Software\Classes for settings of interactive user
  • HKEY_LOCAL_MACHINE\Software\Classes to change default settings
• HKEY_CURRENT_CONFIG

Paths

• C:\Windows\System32\Config

  • Default -> HKEY_USERS\DEFAULT
  • SAM -> HKEY_LOCAL_MACHINE\SAM
  • SECURITY -> HKEY_LOCAL_MACHINE\Security
  • SOFTWARE -> HKEY_LOCAL_MACHINE\Software
  • SYSTEM -> HKEY_LOCAL_MACHINE\System

• C:\Users\<username>\

  • NTUSER.DAT -> HKEY_CURRENT_USER , hidden file

• C:\Users\<username>\AppData\Local\Microsoft\Windows

  • USRCLASS.DAT -> HKEY_CURRENT_USER\Sofware\CLASSES, hidden file

• C:\Windows\AppCompat\Programs\Amcache.hve

Transaction Logs

• Transaction <name of registry hive>.LOG of the registry hive
• Saved inside the same directory which is C:\Windows\System32\Config, as the hive which was altered.

Backups

• Saved every ten days
• Look out for recently deleted or modified keys
• C:\Windows\System32\Config\RegBack

Data Acquisition

• Tools
  • Autopsy
  • FTK Imager, does not copy Amcache.hve
  • KAPE, preserves directory tree
  • Registry Viewer
  • Zimmerman's Registry Explorer, uses transaction logs as well
    • AppCompatCache Parser
  • RegRipper, cli and gui

System Information

• OS Version -> SOFTWARE\Microsoft\Windows NT\CurrentVersion
• Computer Name -> SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
• Time Zone SYSTEM\CurrentControlSet\Control\TimeZoneInformation
• Network Interfaces -> SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
• Past connected networks -> SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged and SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
• Services -> SYSTEM\CurrentControlSet\Services
  • Service will start at boot with start key value 0x02
• Users, SAM -> SAM\Domains\Account\Users

Control Sets

• ControlSet001 -> last boot

• ControlSet002 -> last known good

• HKLM\SYSTEM\CurrentControlSet -> live

• Can be found under:

  • SYSTEM\Select\Current shows the used control set
  • SYSTEM\Select\LastKnownGood

Autostart Programs

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
• SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Run program on login for the current user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Run program on login for any user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Run program on login once for the current user

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run program for on login once for any user

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Recent Files

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, e.g. xml, pdf, jpg
• Office files -> NTUSER.DAT\Software\Microsoft\Office\VERSION, NTUSER.DAT\Software\Microsoft\Office\15.0\Word
• Office 365 -> NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU

ShellBags

• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
• NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
• NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Last Open/Saved/Visited Dialog MRUs

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Explorer Address/Search Bars

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

User Assist

• GUI applications launched by the user
• NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Shim Cache

• Application Compatibility, AppCompatCache
• SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
• Use AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>

AmCache

• Information about recently run applications on the system
• C:\Windows\appcompat\Programs\Amcache.hve
• Last executed app -> Amcache.hve\Root\File\{Volume GUID}\
• Saves SHA1 of the last executed app

Background Activity Monitor/Desktop Activity Moderator BAM/DAM

• Saves full path of executed apps
• SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
• SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}

Devices

• Identification
  • USB -> SYSTEM\CurrentControlSet\Enum\USBTOR, SYSTEM\CurrentControlSet\Enum\USB
• Device name -> SOFTWARE\Microsoft\Windows Portable Devices\Devices
• First time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064
• Last time connected -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066
• Last removal time -> SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067

Tools

• Eric Zimmermann's Registry Explorer
• hivedump
• hivex
• AutoRuns to check autorun paths for persistence

Get-Command -Module AutoRuns



CommandType     Name                                               Version    Source

-----------     ----                                               -------    ------

Function        Compare-AutoRunsBaseLine                           14.0       Aut...

Function        Get-PSAutorun                                      14.0       Aut...

Function        New-AutoRunsBaseLine                               14.0       Aut...