Registry Hives

What’s more fitting than to start this series with talking about hives? 

What is a registry hive? 

A registry hive is a database in the Windows Operating System that collects system and user generated information for configuration purposes. With this type of monitoring, one can track activities performed on the computer. 

Structure

Registry hives are structured as a ‘tree’, where each branch of the tree is a ‘key’. And every tree branch has a leaf, which is referred to as a ‘subkey’ or a ‘value’ depending on the data type. 

The following is a representation of the structure Registry Hive:

There are primarily five registry hives: 

Hive

Description 

HKEY_CLASSES_ROOT

Application configuration files. 

HKEY_CURRENT_USER 

Logged on user profile. 

HKEY_LOCAL_MACHINE

Software and hardware configuration settings. 

HKEY_USERS

Loaded user profiles on the system. 

HKEY_CURRENT_CONFIG

Hardware information. 

 

Registry Editor View:

Each hive also has supporting files, which would symbolize the branches of the tree. Below are the primary files [1]: 

HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System  System, System.alt, System.log, System.sav
HKEY_USER\.DEFAULT Default, Default.log, Default.sav

Registry Review:

The following steps are how to capture and review Registry Hive with the proprietary Windows format.

Capture:

  1. On a running Windows System open Registry Editor 
  2. File -> Export -> Save as a Registration File (.reg).

Review:

  1. Open Registry editor.
  2. File -> Load Hive
  3. Point to .reg file.

Location from a Windows Forensic Image:

C:\Windows\system32\config\

Digital Forensics Focus: 

The following are helpful locations that have assisted in Digital Forensics investigations: 

Data Type Registry Path
Computer Name  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Time zone  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
USB connections  HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Enum\USBSTOR or USB
Mounted Devices  HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices
Running software  HKEY_CURRENT_USER\Software\ 
Recent docs  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Recent applications  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Currentversion\Search\RecentApps
Network Connections  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList

Shell bags

(user’s viewed folders)

HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\Shell
Uninstall of programs HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL
IP addresses  HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\Parameters\Interfaces

 

Conclusion

The Windows Registry Hive provides a valuable log of user generated information that can assist in an investigation. Depending on the type of investigation, you may find different parts of the registry hive to be beneficial. Therefore, if you are analyzing a Windows machine, take the time to review these hives – it may provide you with guidance and assistance in retracing user actions.

Reference Guide

If you would like a summary of this article, please check our reference guide for your review – Windows Registry Hive – Reference Guide

Reference

  1. Msdn.microsoft.com. (2019). Registry Hives (Windows). [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx [Accessed 24 March 2023].