Window Registry Basics - Foren-Ken/tech-journal GitHub Wiki
Why Windows Registry?
This is the treasure trove. The Windows Registry contains configuration information for most programs located on the Windows machine. This would make it so a large majority of artifacts can be discovered within the Windows Registry. The only issue is the sheer amount of information, but tools are made to help with this. Beyond normal software configuration, the Windows Registry also contains information about the User's preferences, most commonly opened files and programs, and aids in making the Windows operating system easier to use.
The Windows registry is made of keys, values, and hives. Hives are the combination of keys, sub keys, and values. Keys are like the folder of the registry, being able to contain keys within them. Values are stored variables within the registry, many of them storing configuration information for both software and the larger OS of Windows.
C:\Windows\System32\Config
| Hive | Usage |
|---|---|
| HKEY_USERS | This hive contains information about users that have logged into the Windows machine. Whenever a new user logs into the computer, a new profile hive within HKEY_USERS will be created. If a user's account has been made, but has not been logged into, there will be no profile in HKEY_USERS. |
| HKEY_CURRENT_USER | Like the name suggests, this hive stores information about the currently logged in user. The \Users%USERNAME%\NTUSER.DAT file is stored in this hive. |
| HKEY_LOCAL_MACHINE | Bulk storage for information within the Registry. SAM, SECURITY, SOFTWARE, and the SYSTEM hive are all stored within here. |
| HKEY_CURRENT_CONFIG | This hive is responsibvl;e for hardware probfile information related to the computer's startup. The following is contained within this hive: System, System.alt, and System.log. |
| HKEY_CLASSES_ROOT | This is found as a subkey of HKEY_LOCAL_MACHINE\SOFTWARE. This HKEY contains information about programs to ensure the correct program opens from Windows Explorer. This HKEY information is overridden by any preferences in HKCU. |
For the basics, the scope is limited to the following hives:
HKEY_LOCAL_MACHINE\SAM or \system32\config\Sam
HKEY_LOCAL_MACHINE\SECURITY or \system32\config\Security
Security Accounts Manager (SAM) Artifacts:
| Artifacts | Uses |
|---|---|
| SAM\Domains\Accounts\Users | This artifact provides multiple uses. The RID of the user, Last Login, Last Password Change, Account Comments, and Password hints can all be found through this artifact. |
| SAM\Domains\Accounts\Users\Names[Hexadecimal Representation of RID] | This artifact shows certain elements of the account. Here, the user's profile tile can be discovered, which will link to a file in the filesystem. |
SECURITY Artifacts:
| Artifacts | Uses |
|---|---|
| SECURITY\Policy\PolAcDmN | This key contains the hostname of the machine, also known as the machine name. |
| SECURITY\Policy\PolAcDmS | This artifact contains the SID for the system. The SID gathering method is listed at the end of the document. |
| SECURITY\Policy\PolDnDDN | This artifact contains the domain name which the system is within. |
| SECURITY\Policy\PolPrDmS | This artifact contains the SID for the domain. The SID gathering method is listed at the end of the document. |
SID Gathering Method:
Take the following hexadecimal value found in either "PolAcDmS" or "PolPrDmS" and use the following method
XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX
Transform Into:
XX- (Read as is)
XX-XX-XX- (Ignore)
XX-XX-XX-XX- (Read right to left)
XX-XX-XX-XX- (Read left to right)
XX-XX-XX-XX- (Read right to left)
XX-XX-XX-XX- (Read right to left)
XX-XX-XX-XX (Read right to left)