Windows Registry Basics - nurit-cyber/OperatingSystemForensics GitHub Wiki

TABLE OF CONTENTS

Introduction to Windows Registry
Registry Hives
Registry Hive Locations
Registry Hive Hex View
Different Registry Hives

Introduction to Windows Registry

Windows Registry: a central repository/database for system and program settings. Every action is stored in the registry.

Stored information:
- User details: name, password hash, SID, Groups, etc.
- Machine details: name, domain/workgroup, SID, etc.
- Hardware information: plugged into system, driver information, settings
- Software information (most): OS, configurations, settings, COM classes, Most Recently Used lists, mapped drive configurations, security settings (local/group policies), startup programs, service information

Registry Hives

Hive: group of keys, subkeys, and values (kind of represent a directory, subdirectories, and files respectively). Values also have a type as a file would have a type (REG_SZ, REG_EXPAND_SZ) and everything will be named.

Regedit reveals currently loaded hives:
image
image

To the right on the photo on the bottom are the values and their names, types, and data within the value. To the left are the keys and subkeys (stand in as files in themselves on the local machine), and this is all as shown by Registry Editor.

HKEY_CLASSES_ROOT:

HKEY_CURRENT_USER: keys related to the user that currently logged in and does not include the keys of other users on the same machine. Only run time

HKEY_LOCAL_MACHINE:
- BCD: boot configurations
- HARDWARE: currently running and includes serial numbers and exists only in run-time
- SAM: security account manager, user logs, username/passwords, user & group info + password hint & synchronizes files across devices potentially
- SECURITY: security policies, password policies
- SOFTWARE: everything related to software, blends with SYSTEM, separates 32 bit and 64 bit applications
- SYSTEM: SYSTEM programs, blends with SOFTWARE

HKEY_USERS: DEFAULT (user template), User information (current user is also mapped at Current User) and each have their own NTUSER.dat

Registry Hive Locations

All hives (except HKEY_CURRENT_USER) are stored at %SystemRoot%\System32\Config. HKEY_CURRENT_USER is stored at the user's profile folder. Currently loaded hives are found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist (contains the control sets - which one was active is important '001').

HKEY_CURRENT_USER has two file locations: C:\Users[username]\NTUSER.dat and C:\Users[username]\AppData\Local\Microsoft\Windows\UsrClass.dat.
- SID association with the Profile is found in the Key

If it is Win '98, the hives are User.dat and System.dat
If it is Win ME, the hives are User.dat, System.dat, and Classes.dat

image

Registry Hive Hex View

Only tracks the time when something is modified inside of it but not what was modified or value what was updated (times are not tracked by regedit).

image

CMD commands

Information about users

net user [username]

Find user SID and usernames

whoami
whoami /user

Dump registry hives (run CMD as admin)

reg save [hive location]\[file name]

Calculation

ELAM tool that prevents malware.
FTK --> File > Protected Files > Password Recovery
- gets all of the users
- you have to recover UsrClass.dat manually
Binary SID

S -  1 byte  -   1 byte  -   BIG DWORD  -   BIG DWORD  -  LIT DWORD
S - Revision - Authority - SubAuthority - SubAuthority - SubAuthority
S -     1    - 5(from 0) -      21      -   385255830  -  3372572413

Errors

Dirty Hive Detected - No: No recent actions; Yes: load the transactions

Reg Ripper

rip -r system-hve -p timezone

USB

HKLM\SYSTEM\CurrentControlSet[#]\Enum\USBSTOR stores all USB drives inserted

Subkey: Disk&Ven_###&Prod_###&Rev_###

Device ID/Serial found and if no serial, Windows assigns an ID