DOCSLIB.ORG

The Windows Registry the Windows Registry

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Windows Registry the Windows Registry Windows Registry CSC414 The Computer Windows System Fundamentals Registry Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO U R I http://www.forensics.cs.uri.edu Windows Registry Registry Hives Hardware & software information Top-level logical grouping of keys - Current and previously attached hardware - User preferences and configuration settings Hive Name Abbreviation Description - Program usage and timestamps Local system hardware, device drivers, services, and machine- HKEY_LOCAL_MACHINE HKLM Logical view specific application data information - Hierarchy of folders (keys) Pre-logon default user profile information for all users on the HKEY_USERS HKU system - Five top level categories (hives) Currently logged on user profile information- link to user key in - Viewed using regedit.exe, regedt32.exe or HKEY_CURRENT_USER HKCU HKU specialized programs AccessData Registry Viewer Link to subkey in HKLM that configuration and file associations for HKEY_CLASS_ROOT HKCR installed software Physical View Link to subkey in HKLM that contains current hardware HKEY_CURRENT_CONFIG HKCC - Actual files containing registry data configuration and some software per-computer application settings - Transaction log of changes Registry Keys Registry Keys Attributes Values - Reference path name - Name Type Name Meaning - Uses \ character for levels - (Default) is default value for the key REG_NONE No Type just raw bytes - Not the file name of a key - Type - Permissions REG_BINARY Binary binary data value - Used to interpret data - Can be set for user or group bytes REG_DWORD Double Word four byte value - Last Access - Size of data single line string terminated REG_SZ String by a null character - Need third party Registry editor to - Data commonly used for view properties REG_EXPAND_SZ Expandable String - Actual data for the value environment variables HKEY_CURRENT_USER\Control Panel\Cursors each line is terminated by a REG_MULTI_SZ Multi-line String null character Local Machine Hive Local Machine Hive HKEY_LOCAL_MACHINE (HKLM) HKEY_LOCAL_MACHINE (HKLM) - SYSTEM - SOFTWARE - Current system set up - Configuration settings & preferences for programs - ControlSets of hardware & device drivers - Registration information for programs - Alternative system configurations - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion - Enum lists attached devices - Run - Including USB sticks and drives - Software that runs when system starts up - Mounted file systems (MountedDevice) - WinLogin - Login window configuration information - Random Number Generator (RNG) seed value - C:\Windows\System32\config\SOFTWARE - C:\Windows\System32\config\SYSTEM Virtual Memory Page File Location - C:\WIndows\System32\config\SOFTWARE.LOG - HKLM\SYSTEM\CurrentControlSet\Control\SessionC:\WIndows\System32\config\SYSTEM.LOG Manager\Memory Management Local Machine Hive Local Machine Hive HKEY_LOCAL_MACHINE (HKLM) HKEY_LOCAL_MACHINE (HKLM) - SAM - SECURITY - System and Accounts Management - Permissions prevent normal viewing - C:\Windows\System32\config\SECURITY - Account information for domains accessed - C:\WIndows\System32\config\SECURITY.LOG with this system - HARDWARE - Permissions prevent viewing - Hardware that Windows detects during start up - C:\Windows\System32\config\SAM - Not stored in a file - Created dynamically at start up - C:\WIndows\System32\config\SAM.log - BCD00000000 - Boot Configuration Data for Vista and Windows 7 - For XP and earlier, data was stored in C:\boot.ini - C:\Boot\BCD - EFI System Partition Users Hive Users Hive HKEY_USERS (HKU) HKEY_USERS (HKU) - Subkeys contain user specific preferences, - SID - security identifier for a user configuration and activity information - SID_CLASSES contains per-user class - System Accounts registration and file associations - S-1-5-18: Local System - account with high privileges - S-1-5-19: Local Services - running local services that do not need Local System account privileges - S-1-5-20: Network Services - running network services that do not require C:\Users\%userprofile%\NTUSER.DAT Local System account privileges C:\Users\%userprofile%\NTUSER.DAT.LOG C:\Documents and Settings\%userprofile%\NTUSER.DAT - .DEFAULT C:\Documents and Settings\%userprofile%\NTUSER.DAT.LOG - default account user information Users Hive Current Hives HKEY_USERS (HKU) HKEY_CURRENT_USER (HKCU) - Important Keys for Forensics - Links to the currently active user account and class information in the HKU hive. - Network HKEY_CLASSES_ROOT (HKCR) - Mapping of networked drives - HKCR is a mesh of the default in HKLM\Software\Classes - Environment - Default local of temporary user files HKEY_CURRENT_CONFIG (HKCC) - Volatile Environment - Links to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current - Login and account information for current user HKU\{SID}\Software\Microsoft\Windows\CurrentVersion - Software HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run - Contains configuration and usage information for programs The Windows Registry Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO U R I http://www.forensics.cs.uri.edu.
Load more

Recommended publications
  • Powershell Delete Registry Key Remote Computer
    Powershell delete registry key remote computer In Use PowerShell to Edit the Registry on Remote Computers, I talked cmdlet to find and delete the registry key on all remote servers that are. There is a pre powershell registry tool called reg. It will perform registry operations on remote computers. REG DELETE /? REG DELETE. I am trying to create a PowerShell script that deletes two keys on a remote computer. (One key in the code below) I have successfully created a. The Remove-RegistryKey cmdlet is used to delete registry keys and values on the local or a remote computer. I'm working on remotely modifying an autologin key value on batches of {Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Solution: $Computers = Get-Content "C:\"$Path me with a powershell script that can modify registry key on a list of remote computers Basically, I need to modify a product name in add/remove programs list. Then I need to find out whether I got the admin permission on the remote machines. Lastly, remove the specified reg keys. #Read the machine. Deleting Specific Remote Registry Entry - Powershell playing about with trying to write a script to delete a specific software GPO deployed to a remote computer. $Items = $Keys | Foreach-Object {Get-ItemProperty $_. $RegistryKeyValue = $ue($RegistryKeyName) Write-output "Attempting to delete $RegistryKeyName on $Computer `r ". Powershell: Delete Registry Key On Remote Server To run a script on one or many remote computers, use the FilePath parameter of the. I am having trouble changing registry keys. I know the trouble is Set-ItemProperty does not support connections to remote computers.
    [Show full text]
  • Tracking Computer Use with the Windows® Registry Dataset Doug
    Tracking Computer Use with the Windows® Registry Dataset Doug White Disclaimer Trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose. Statement of Disclosure This research was funded by the National Institute of Standards and Technology Office of Law Enforcement Standards, the Department of Justice National Institute of Justice, the Federal Bureau of Investigation and the National Archives and Records Administration. National Software Reference Library & Reference Data Set The NSRL is conceptually three objects: • A physical collection of software • A database of meta-information • A subset of the database, the Reference Data Set The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set of information. Windows® Registry Data Set It is possible to compile a historical list of applications based on RDS metadata and residue files. Many methods can be used to remove application files, but these may not purge the Registry. Examining the Registry for residue can augment a historical list of applications or provide additional context about system use. Windows® Registry Data Set (WiReD) The WiReD contains changes to the Registry caused by application installation, de-installation, execution or other modifying operations. The applications are chosen from the NSRL collection, to be of interest to computer forensic examiners. WiReD is currently an experimental prototype. NIST is soliciting feedback from the computer forensics community to improve and extend its usefulness.
    [Show full text]
  • Operational and Administrative Guidance
    Operational and Administrative Guidance Microsoft Windows Server, Microsoft Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 version 1809 Hyper-V Common Criteria Evaluation under the Protection Profile for Virtualization, including the Extended Package for Server Virtualization Revision date: January 15, 2021 © 2021 Microsoft. All rights reserved. Microsoft Windows Server and Windows 10 Hyper-V Administrative Guidance Copyright and disclaimer The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial VLicense (which allows redistribution of the work). To view a copy of this license, visithttp://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious.
    [Show full text]
  • Oracle Database Platform Guide for Windows
    Oracle® Database Platform Guide 10g Release 1 (10.1) for Windows Part No. B10113-01 December 2003 Oracle Database Platform Guide, 10g Release 1 (10.1) for Windows Part No. B10113-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Craig B. Foch Contributing Author: Mark Kennedy and Helen Slattery Contributor: David Collelo The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable: Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement.
    [Show full text]
  • Compressed Modes User's Guide
    Drivers for Windows Compressed Modes User’s Guide Version 2.0 NVIDIA Corporation August 27, 2002 NVIDIA Drivers Compressed Modes User’s Guide Version 2.0 Published by NVIDIA Corporation 2701 San Tomas Expressway Santa Clara, CA 95050 Copyright © 2002 NVIDIA Corporation. All rights reserved. This software may not, in whole or in part, be copied through any means, mechanical, electromechanical, or otherwise, without the express permission of NVIDIA Corporation. Information furnished is believed to be accurate and reliable. However, NVIDIA assumes no responsibility for the consequences of use of such information nor for any infringement of patents or other rights of third parties, which may result from its use. No License is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in the software are subject to change without notice. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation. NVIDIA, the NVIDIA logo, GeForce, GeForce2 Ultra, GeForce2 MX, GeForce2 GTS, GeForce 256, GeForce3, Quadro2, NVIDIA Quadro2, Quadro2 Pro, Quadro2 MXR, Quadro, NVIDIA Quadro, Vanta, NVIDIA Vanta, TNT2, NVIDIA TNT2, TNT, NVIDIA TNT, RIVA, NVIDIA RIVA, NVIDIA RIVA 128ZX, and NVIDIA RIVA 128 are registered trademarks or trademarks of NVIDIA Corporation in the United States and/or other countries. Intel and Pentium are registered trademarks of Intel. Microsoft, Windows, Windows NT, Direct3D, DirectDraw, and DirectX are registered trademarks of Microsoft Corporation. CDRS is a trademark and Pro/ENGINEER is a registered trademark of Parametric Technology Corporation. OpenGL is a registered trademark of Silicon Graphics Inc.
    [Show full text]
  • Windows Registry,Some Basic Understanding
    WINDOWS REGISTRY,SOME BASIC UNDERSTANDING For the peoples who use Windows, „Windows Registry‟ is not a new word at all. The registry is a central database of all configuration settings for most of the applications installed on the computer. Windows stores all its settings in this „Registry‟ itself. The „Windows Registry Editor‟ allows us to configure many hidden settings for windows and other applications installed, which are not accessible by the interface of the particular software itself. You can easily manipulate and modify the values of registry and improve the PC‟s performance. However, do it carefully, because modify the right setting and your computer gets a boost, modify the wrong one and you end up with a non-booting system. In my previous post I wrote about „Autoruns‟, it can also manipulate registry. (Read here) To edit registry, we can use „Windows Registry Editor‟, which is preinstalled in Windows itself. It can be launched by using the command „regedit‟ in the „RUN‟ dialog box, which can be launched by pressing “Windows key+R”. On start-up, „Windows Registry‟ will show up the following five root entries. HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG All the settings given above are not stored in a single file. They are spread across multiple files in logical groups called „hives‟. The combination of hives makes „Windows Registry‟. The values are stored here in binary format. That means only “1” and “0” is used here. “1” means “yes”, whereas the value “0” represents “no”. Let us look into the details of these settings. 1. HKEY_CLASSES_ROOT: It is abbreviated as HKCR.
    [Show full text]
  • Older Operating Systems
    Older Operating Systems Class Notes # 18 Windows 9X Registry January 6, 2004 The windows 9x registry contains the operating system database. The data stored in the registry includes the following: system configuration, user settings, device manager information, application software settings, hardware settings, etc. The database has a hierarchical tree structure. See below: Figure 1: Registry editor Note that the right of the window are value name (e.g. ScreenSaveTime) and to the right of each value of each name is the value data assigned (e.g. 900). The registry is contained in two files which are hidden: System.dat and User.dat. The registry is organized in six major keys or branches of the registry tree and are described on table one: 1 Table one: Six major keys of the Windows 9x registry Key Description HKEY_CLASSES_ROOT Contains information about file associations and OLE data (This branch of the tree is a copy of HKEY_LOCAL_MACHINE\Software\Classes HKEY_USER Includes user preferences, including desktop configuration and network connections HKEY_CURRENT_USER If there is only one user of the system, this is a duplicate of HKEY_USERS, but for a multi-user system, this key contains information about the current user preferences. HKEY_LOCAL_MACHINE Contains information about hardware and installed software HKEY_CURRENT_CONFIG Contains the same information in HKEY_LOCAL_MACHINE\Config and has information about printers and display fonts HKEY_DYN_DATA Keeps information about Windows performance and Plug and Play information You can think of the six major keys in table one as root keys. Each root keys contains a number of subkeys as shown in figure one. A registry key can contain other keys.
    [Show full text]
  • Quest Intrust 11.4.2
    Quest® InTrust 11.4.2 Preparing for Auditing and Monitoring PowerShell Activity © 2020 Quest Software Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software Inc. The information in this document is provided in connection with Quest Software products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest Software products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • Constructing a Lightweight Key-Value Store Based on the Windows Native Features
    applied sciences Article Constructing a Lightweight Key-Value Store Based on the Windows Native Features Hyuk-Yoon Kwon Department of Industrial and Systems Engineering and the Research Center for Electrical and Information Technology, Seoul National University of Science and Technology, 232 Gongneung-Ro, Nowon-Gu, Seoul 01811, Korea; [email protected] Received: 22 August 2019; Accepted: 7 September 2019; Published: 11 September 2019 Featured Application: In this paper, we propose a lightweight key-value store for managing various types of data, which are generated from Big data applications, in a very simple form. The proposed technique can be used in any environments where Windows operating systems are running, which encompass from client environments (e.g., Windows 10) to server environments (e.g., Windows Server 2016), with the minimum effort for the installation. For the other environments without Windows operating systems, we can easily migrate data to the other any environments that support existing key-value stores by using the ETL (Extract-Transform-Load) method proposed by this paper. Abstract: In this paper, we propose a method to construct a lightweight key-value store based on the Windows native features. The main idea is providing a thin wrapper for the key-value store on top of a built-in storage in Windows, called Windows registry. First, we define a mapping of the components in the key-value store onto the components in the Windows registry. Then, we present a hash-based multi-level registry index so as to distribute the key-value data balanced and to efficiently access them.
    [Show full text]
  • Mastering Windows XP Registry
    Mastering Windows XP Registry Peter Hipson Associate Publisher: Joel Fugazzotto Acquisitions and Developmental Editor: Ellen L. Dendy Editor: Anamary Ehlen Production Editor: Elizabeth Campbell Technical Editor: Donald Fuller Electronic Publishing Specialist: Maureen Forys, Happenstance Type-O-Rama Proofreaders: Nanette Duffy, Emily Hsuan, Laurie O'Connell, Yariv Rabinovitch, Nancy Riddiough Book Designer: Maureen Forys, Happenstance Type-O-Rama Indexer: Ted Laux Cover Designer: Design Site Cover Illustrator: Sergie Loobkoff Copyright © 2002 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. The author(s) created reusable code in this publication expressly for reuse by readers. Sybex grants readers limited permission to reuse the code found in this publication or its accompanying CD-ROM so long as the author is attributed in any application containing the reusable code and the code itself is never distributed, posted online by electronic transmission, sold, or commercially exploited as a stand-alone product. Aside from this specific exception concerning reusable code, no part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. First edition copyright © 2000 SYBEX Inc. Library of Congress Card Number: 2002100057 ISBN: 0-7821-2987-0 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Mastering is a trademark of SYBEX Inc. Screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved.FullShot is a trademark of Inbit Incorporated.
    [Show full text]
  • 1 Introduction Into WSH
    1 Introduction into WSH This chapter contains a brief introduction into the Windows Script Host (WSH). You will get a first impression of what you can do with this tool, how to install it, and how to use it. What is the Windows Script Host? Windows versions before Windows 98 provided almost nothing to automate certain tasks like backing up files, displaying user dialogs, and maintaining system administration tasks. Many sys- tem administrators and power users requested a tool to support these tasks. NOTE: Of course, you could always use the old MS-DOS batch (BAT-files) file to perform certain tasks like copying files. These BAT-files can be used within a Windows Command Prompt window (the window with the MS-DOS command prompt). However, this approach has several disadvantages like the fact that a BAT-file can only contain a simple sequence of MS-DOS commands (only simple branches and no real looping functionality among other things). Also, dialogs and messages boxes are not supported. In Windows 3.1, you could do a little more with macro recorder to record and play simple keystrokes and mouse clicks; however, the recorder is not available under Windows 9X and Windows NT and does not allow programming. All this led users to seek out third party solutions (like Power Batch) or programming environ- ments like Delphi, Visual Basic, and Visual C to handle these tasks. But these solutions were not acceptable for many Windows users that required a simple and free scripting language to solve their automation tasks. Since Microsoft Office 97 provides Visual Basic for Applications (VBA) and since web authors also know scripting languages like VBScript and JavaScript, it was only a matter of time before Microsoft provided a scripting language for Windows operating systems.
    [Show full text]
  • Lesson Microsoft System Configuration Utility 1
    NOT 10 Technology and Livelihood Education Quarter 1 - Module 3 Information and Communication Technology (ICT) Computer Servicing System (CSS) Computer Systems, Tools, Devices, Equipment and Materials Department of Education ● Republic of the Philippines Technology and Livelihood Education- Grade 10 Alternative Delivery Mode Quarter 1 - Module 3: Computer Systems, Tools, Devices, Equipment and Materials First Edition, 2020 Republic Act 8293, section 176 states that: No copyright shall subsist in any work of the Government of the Philippines. However, prior approval of the government agency or office wherein the work is created shall be necessary for exploitation of such work for profit. Such agency or office may, among other things, impose as a condition the payment of royalty. Borrowed materials (i.e., songs, stories, poems, pictures, photos, brand names, trademarks, etc.) included in this book are owned by their respective copyright holders. Every effort has been exerted to locate and seek permission to use these materials from their respective copyright owners. The publisher and authors do not represent nor claim ownership over them. Published by the Department of Education – Division of Cagayan de Oro Schools Division Superintendent: Roy Angelo L. Gazo, PhD.,CESO V Development Team of the Module Author/s: Allan F. Roloma Reviewers: (_______________________) Illustrator and Layout Artist: Allan F. Roloma Management Team Chairperson: Arturo B. Bayocot, PhD., CESO III Regional Director Co-Chairpersons: Victor G. De Gracia Jr. PhD., CESO V Asst. Regional Director Randolph B. Tortola, PhD., CESO IV Schools Division Superintendent Shambaeha Abante Usman, PhD. Assistant Schools Division Superintendent Mala Epra B. Magnaong, Chief ES, CLMD Members Neil A.
    [Show full text]