The Windows Registry the Windows Registry

Windows Registry CSC414 The Computer Windows System Fundamentals Registry

Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO

U R I

http://www.forensics.cs.uri.edu

Windows Registry Registry Hives

Hardware & software information Top-level logical grouping of keys - Current and previously attached hardware

- User preferences and configuration settings Hive Name Abbreviation Description

- Program usage and timestamps Local system hardware, device drivers, services, and machine- HKEY_LOCAL_MACHINE HKLM Logical view specific application data information - Hierarchy of folders (keys) Pre-logon default user profile information for all users on the HKEY_USERS HKU system - Five top level categories (hives) Currently logged on user profile information- link to user key in - Viewed using regedit.exe, regedt32.exe or HKEY_CURRENT_USER HKCU HKU specialized programs AccessData Registry Viewer Link to subkey in HKLM that configuration and file associations for HKEY_CLASS_ROOT HKCR installed software Physical View Link to subkey in HKLM that contains current hardware HKEY_CURRENT_CONFIG HKCC - Actual files containing registry data configuration and some software per-computer application settings - Transaction log of changes

Registry Keys Registry Keys

Attributes Values - Reference path name - Name Type Name Meaning - Uses \ character for levels - (Default) is default value for the key REG_NONE No Type just raw bytes - Not the file name of a key - Type - Permissions REG_BINARY Binary binary data value - Used to interpret data - Can be set for user or group bytes REG_DWORD Double Word four byte value

- Last Access - Size of data single line string terminated REG_SZ String by a null character - Need third party Registry editor to - Data commonly used for view properties REG_EXPAND_SZ Expandable String - Actual data for the value environment variables HKEY_CURRENT_USER\Control Panel\Cursors each line is terminated by a REG_MULTI_SZ Multi-line String null character Local Machine Hive Local Machine Hive

HKEY_LOCAL_MACHINE (HKLM) HKEY_LOCAL_MACHINE (HKLM) - SYSTEM - SOFTWARE - Current system set up - Configuration settings & preferences for programs - ControlSets of hardware & device drivers - Registration information for programs - Alternative system configurations - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion - Enum lists attached devices - Run - Including USB sticks and drives - Software that runs when system starts up - Mounted file systems (MountedDevice) - WinLogin - Login window configuration information - Random Number Generator (RNG) seed value - C:\Windows\System32\config\SOFTWARE - C:\Windows\System32\config\SYSTEM Virtual Memory Page File Location - C:\WIndows\System32\config\SOFTWARE.LOG - HKLM\SYSTEM\CurrentControlSet\Control\SessionC:\WIndows\System32\config\SYSTEM.LOG Manager\Memory Management

Local Machine Hive Local Machine Hive

HKEY_LOCAL_MACHINE (HKLM) HKEY_LOCAL_MACHINE (HKLM) - SAM - SECURITY - System and Accounts Management - Permissions prevent normal viewing - C:\Windows\System32\config\SECURITY - Account information for domains accessed - C:\WIndows\System32\config\SECURITY.LOG with this system - HARDWARE - Permissions prevent viewing - Hardware that Windows detects during start up - C:\Windows\System32\config\SAM - Not stored in a file - Created dynamically at start up - C:\WIndows\System32\config\SAM.log - BCD00000000 - Boot Configuration Data for Vista and Windows 7 - For XP and earlier, data was stored in C:\boot.ini - C:\Boot\BCD - EFI System Partition

Users Hive Users Hive

HKEY_USERS (HKU) HKEY_USERS (HKU) - Subkeys contain user specific preferences, - SID - security identifier for a user configuration and activity information - SID_CLASSES contains per-user class - System Accounts registration and file associations - S-1-5-18: Local System - account with high privileges - S-1-5-19: Local Services - running local services that do not need Local System account privileges - S-1-5-20: Network Services - running network services that do not require C:\Users\%userprofile%\NTUSER.DAT Local System account privileges C:\Users\%userprofile%\NTUSER.DAT.LOG C:\Documents and Settings\%userprofile%\NTUSER.DAT - .DEFAULT C:\Documents and Settings\%userprofile%\NTUSER.DAT.LOG - default account user information Users Hive Current Hives

HKEY_USERS (HKU) HKEY_CURRENT_USER (HKCU) - Important Keys for Forensics - Links to the currently active user account and class information in the HKU hive. - Network HKEY_CLASSES_ROOT (HKCR) - Mapping of networked drives - HKCR is a mesh of the default in HKLM\Software\Classes - Environment - Default local of temporary user files HKEY_CURRENT_CONFIG (HKCC)

- Volatile Environment - Links to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current - Login and account information for current user HKU\{SID}\Software\Microsoft\Windows\CurrentVersion - Software HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run - Contains configuration and usage information for programs

The Windows Registry

Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO

U R I

http://www.forensics.cs.uri.edu