Registry Hives - nurit-cyber/OperatingSystemForensics GitHub Wiki

HKLM

SAM

F Value Local: timestamps
image

F Value Microsoft: Does not cache logon stamps

V Value: everything else about the user

Users are stored under their user/relative ID written in hex.

- Microsoft accounts are not stored permanently on the local device but in the Microsoft databases
image

Log-ons are cached on the machine, and depending how the network and domain is set up, people can log into based on the Cached LogonInfo, which this is also what is used for push through authentication or Single-Sign-On (SSO).

SECURITY

Machine Name/SID: Domain ID for local device (local domain)

Domain Name/SID: Domain ID for the network domain (domain domain) (Is not filled if there is no network domain).

SYSTEM

CurrentControlSet: volatile, virtual key which is mapped to one of the many control sets (ControlSet001, ControlSet002,..) and active control can be found at HKEY_LOCAL_MACHINE\SYSTEM\Select > Current

OS details

Service Packs

Computer Name

HKLM\SYSTEM\CurrentControlSet[#]\Control\ComputerName

Last Shut Down Time

XP & 7

HKLM\SYSTEM\CurrentControlSet[#]\Control\Windows > ShutdownTime

If installation date is after last shutdown time is because the install time recalls the last upgrade, and in Windows 8+ will show a date that is in the future and after the Windows was last shut down, and the value.

How to find the actual install time: SAM>Domains>Account>F Value in Offset 08 to 0F and select the date interpreter and select between 32 bit and 64 bit

Time Zone Information

HKLM\SYSTEM\CurrentControlSet[#]\Control\TimeZoneInformation

- TimeZoneKeyName
- DaylightBias
- Bias
- ActiveTimeBias

If in TimeZoneInformation Bias and ActiveTimeBias match, then there is no Daylight Savings. If the Bias or ActiveTimeBias is positive it is UTC -

BIAS + DAYLIGHTBIAS = ACTIVETIMEBIAS == NO DAYLIGHT SAVINGS
300 + -60 = 240 == NO DAYLIGHT SAVINGS
300 + -60 != 300 == DAYLIGHT SAVINGS

UTC Conversion

UTC - (ACTIVETIMEBIAS / [DAYLIGHTBIAS SIGN +] 60)
UTC + (ACTIVETIMEBIAS / [DAYLIGHTBIAS SIGN -] 60)

Services

HKLM\SYSTEM\CurrentControlSet[#]\services

Startup Type Codes (Start DWORD)
00 - Boot
01 - System
02 - Automatic
03 - Manual
04 - Disabled

Mounted Devices

HKLM\SYSTEM\MountedDevices HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

This should say that which drive is attached to what volume once accessing the files listed.

Network Shared Drives.

HKCU\Software\Microsoft\Windows
HKCU\Printers\Settings
HKLM\SYSTEM

MountPoints: Stores Autorun setting for inserted devices
\CPC\Volume: stores currently detected disks and volume information

For system wide installed printers are stored in HKLM\SYSTEM, but per user installed printers are located in HKCU\Software\Microsoft\Windows & HKCU\Printers\Settings in USER.dat

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MapNetworkDriveMRU

This is per file Check into the user account to see if that specific user mounted the account. It is mapped to a user's file, so they need to go into each User.dat to see who has what mapped where.

Last Accessed Time

VISTA & 7: Off by default

HKLM\SYSTEM\CurrentControlSet[#]\Control\FileSystem > NTFSDisableLastAccessUpdate

SOFTWARE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

To see all of the programs that are booting at startup: AUTORUNS.exe

USB

HKLM\SYSTEM\CurrentControlSet[#]\Enum\USBSTOR

Stores all USB drives inserted

Subkey: Disk&Ven_###&Prod_###&Rev_###

Device ID/Serial found and if no serial, Windows assigns an ID

MRU Lists

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows + R (run dialogue) is stored in MRU lists. Even shows how the commands were added (regedit, mspaint, etc.). If the same entry is accessed again, the entries will be listed like they were the most recent (not sorted by name or alphabetical order, but on most recently run).

HKLM\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPath

Typed URLs & paths are stored from any Microsoft based web-browser (IE & Edge)

HKLM\Software\Microsoft\Windows\Currentversion\Explorer\ComDlg32\OpenSaveMRU

Common dialogues: actions performed inside of an application (any application) inside their dialogue box

Everything is stored in the MRU inside of the dialogue boxes.