Registry Artifact Locations - Foren-Ken/tech-journal GitHub Wiki
All Discoverable Using Registry Explorer v2.0.0.0
SAM
| Name | Location | Purpose |
|---|---|---|
| Users | SAM\Domains\Account\Users | Contains all the user accounts, last login, user ID (RID), Total Login Counts, Last Login, Last Incorrect Login, and much more account details. |
| Aliases | SAM\Domains\Builtin\Aliases | Contains all groups, a comment for the group (if there is one), and every user who falls in each group. A single user can be within multiple groups. |
SYSTEM
| Name | Location | Purpose |
|---|---|---|
| Interfaces | ControlSet001\services\Tcpip\Parameters\Interfaces | Provides information on the IP, DHCP, and DHCP lease. |
| ComputerName | ControlSet001\Control\ComputerName\ComputerName | Provides information on host name of the device. |
| DeviceClasses | ControlSet001\Control\DeviceClasses | Contains information on volumes, storage devices, and serial numbers on those items. |
| DomainProfile | ControlSet001\Services\ SharedAccess\Parameters\FirewallPolicy\DomainProfile | Shows if the firewall is active for domain joined devices. |
| StandardProfile | ControlSet001\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile | Shows if the firewall is active for non-domain joined devices. |
| Memory Management | ControlSet001\Control\Session Manager\Memory | Contains information about how the memory is managed on a device. "ClearPageFileAtShutdown" is located here and may provide forensic value by showing if PageFiles should be looked for (since it can confirm if its not cleared at shutdown). |
| Windows | ControlSet001\Control\Windows | Contains a great deal of information related to Windows running and common running statistics. |
SECURITY
| Name | Location | Purpose |
|---|---|---|
SOFTWARE
| Name | Location | Purpose |
|---|---|---|
| CurrentVersion | Microsoft\Windows NT\CurrentVersion | Offers information on CurrentVersion, CurrentBuild, SoftwareType, RegisteredOrganization, RegisteredOwner, and other Windows information which software may need to know to work. |
| VolumeInfoCache | Microsoft\Windows Search\VolumeInfoCache | Contains information on mounted devices. Displays device name and which drive which the volume was mounted on. |
| NetworkList | Microsoft\Windows NT\CurrentVersion\NetworkList | Contains information on the network which the device was connected to. |
NTUSER.DAT (Per Account)
| Name | Location | Purpose |
|---|---|---|
| Count | Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count | Contains information on the programs ran by the user of the specific account which the NTUSER.DAT file exists within. This includes run count, focus count, focus time, and last executed along with the name of the program. |
| Count | Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count | Contains evidence of LNK files for certain files existing. The different items within the {} may help prove knowledge or understanding of certain applications. |