The Windows Registry the Windows Registry

The Windows Registry the Windows Registry

Windows Registry CSC414 The Computer Windows System Fundamentals Registry Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO U R I http://www.forensics.cs.uri.edu Windows Registry Registry Hives Hardware & software information Top-level logical grouping of keys - Current and previously attached hardware - User preferences and configuration settings Hive Name Abbreviation Description - Program usage and timestamps Local system hardware, device drivers, services, and machine- HKEY_LOCAL_MACHINE HKLM Logical view specific application data information - Hierarchy of folders (keys) Pre-logon default user profile information for all users on the HKEY_USERS HKU system - Five top level categories (hives) Currently logged on user profile information- link to user key in - Viewed using regedit.exe, regedt32.exe or HKEY_CURRENT_USER HKCU HKU specialized programs AccessData Registry Viewer Link to subkey in HKLM that configuration and file associations for HKEY_CLASS_ROOT HKCR installed software Physical View Link to subkey in HKLM that contains current hardware HKEY_CURRENT_CONFIG HKCC - Actual files containing registry data configuration and some software per-computer application settings - Transaction log of changes Registry Keys Registry Keys Attributes Values - Reference path name - Name Type Name Meaning - Uses \ character for levels - (Default) is default value for the key REG_NONE No Type just raw bytes - Not the file name of a key - Type - Permissions REG_BINARY Binary binary data value - Used to interpret data - Can be set for user or group bytes REG_DWORD Double Word four byte value - Last Access - Size of data single line string terminated REG_SZ String by a null character - Need third party Registry editor to - Data commonly used for view properties REG_EXPAND_SZ Expandable String - Actual data for the value environment variables HKEY_CURRENT_USER\Control Panel\Cursors each line is terminated by a REG_MULTI_SZ Multi-line String null character Local Machine Hive Local Machine Hive HKEY_LOCAL_MACHINE (HKLM) HKEY_LOCAL_MACHINE (HKLM) - SYSTEM - SOFTWARE - Current system set up - Configuration settings & preferences for programs - ControlSets of hardware & device drivers - Registration information for programs - Alternative system configurations - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion - Enum lists attached devices - Run - Including USB sticks and drives - Software that runs when system starts up - Mounted file systems (MountedDevice) - WinLogin - Login window configuration information - Random Number Generator (RNG) seed value - C:\Windows\System32\config\SOFTWARE - C:\Windows\System32\config\SYSTEM Virtual Memory Page File Location - C:\WIndows\System32\config\SOFTWARE.LOG - HKLM\SYSTEM\CurrentControlSet\Control\SessionC:\WIndows\System32\config\SYSTEM.LOG Manager\Memory Management Local Machine Hive Local Machine Hive HKEY_LOCAL_MACHINE (HKLM) HKEY_LOCAL_MACHINE (HKLM) - SAM - SECURITY - System and Accounts Management - Permissions prevent normal viewing - C:\Windows\System32\config\SECURITY - Account information for domains accessed - C:\WIndows\System32\config\SECURITY.LOG with this system - HARDWARE - Permissions prevent viewing - Hardware that Windows detects during start up - C:\Windows\System32\config\SAM - Not stored in a file - Created dynamically at start up - C:\WIndows\System32\config\SAM.log - BCD00000000 - Boot Configuration Data for Vista and Windows 7 - For XP and earlier, data was stored in C:\boot.ini - C:\Boot\BCD - EFI System Partition Users Hive Users Hive HKEY_USERS (HKU) HKEY_USERS (HKU) - Subkeys contain user specific preferences, - SID - security identifier for a user configuration and activity information - SID_CLASSES contains per-user class - System Accounts registration and file associations - S-1-5-18: Local System - account with high privileges - S-1-5-19: Local Services - running local services that do not need Local System account privileges - S-1-5-20: Network Services - running network services that do not require C:\Users\%userprofile%\NTUSER.DAT Local System account privileges C:\Users\%userprofile%\NTUSER.DAT.LOG C:\Documents and Settings\%userprofile%\NTUSER.DAT - .DEFAULT C:\Documents and Settings\%userprofile%\NTUSER.DAT.LOG - default account user information Users Hive Current Hives HKEY_USERS (HKU) HKEY_CURRENT_USER (HKCU) - Important Keys for Forensics - Links to the currently active user account and class information in the HKU hive. - Network HKEY_CLASSES_ROOT (HKCR) - Mapping of networked drives - HKCR is a mesh of the default in HKLM\Software\Classes - Environment - Default local of temporary user files HKEY_CURRENT_CONFIG (HKCC) - Volatile Environment - Links to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current - Login and account information for current user HKU\{SID}\Software\Microsoft\Windows\CurrentVersion - Software HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run - Contains configuration and usage information for programs The Windows Registry Digital Forensics Center Department of Computer Science and Statics THINK BIG WE DO U R I http://www.forensics.cs.uri.edu.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    3 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us