What’s more fitting than to start this series with talking about hives?
What is a registry hive?
A registry hive is a database in the Windows Operating System that collects system and user generated information for configuration purposes. With this type of monitoring, one can track activities performed on the computer.
Structure
Registry hives are structured as a ‘tree’, where each branch of the tree is a ‘key’. And every tree branch has a leaf, which is referred to as a ‘subkey’ or a ‘value’ depending on the data type.
The following is a representation of the structure Registry Hive:
There are primarily five registry hives:
Hive |
Description |
HKEY_CLASSES_ROOT |
Application configuration files. |
HKEY_CURRENT_USER |
Logged on user profile. |
HKEY_LOCAL_MACHINE |
Software and hardware configuration settings. |
HKEY_USERS |
Loaded user profiles on the system. |
HKEY_CURRENT_CONFIG |
Hardware information. |
Registry Editor View:
Each hive also has supporting files, which would symbolize the branches of the tree. Below are the primary files [1]:
HKEY_CURRENT_CONFIG | System, System.alt, System.log, System.sav |
HKEY_CURRENT_USER | Ntuser.dat, Ntuser.dat.log |
HKEY_LOCAL_MACHINE\SAM | Sam, Sam.log, Sam.sav |
HKEY_LOCAL_MACHINE\Security | Security, Security.log, Security.sav |
HKEY_LOCAL_MACHINE\Software | Software, Software.log, Software.sav |
HKEY_LOCAL_MACHINE\System | System, System.alt, System.log, System.sav |
HKEY_USER\.DEFAULT | Default, Default.log, Default.sav |
Registry Review:
The following steps are how to capture and review Registry Hive with the proprietary Windows format.
Capture:
- On a running Windows System open Registry Editor
- File -> Export -> Save as a Registration File (.reg).
Review:
- Open Registry editor.
- File -> Load Hive
- Point to .reg file.
Location from a Windows Forensic Image:
C:\Windows\system32\config\
Digital Forensics Focus:
The following are helpful locations that have assisted in Digital Forensics investigations:
Data Type | Registry Path |
Computer Name | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName |
Time zone | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation |
USB connections | HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Enum\USBSTOR or USB |
Mounted Devices | HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices |
Running software | HKEY_CURRENT_USER\Software\ |
Recent docs | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
Recent applications | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Currentversion\Search\RecentApps |
Network Connections | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList |
Shell bags (user’s viewed folders) |
HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\Shell |
Uninstall of programs | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL |
IP addresses | HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\Parameters\Interfaces |
Conclusion
The Windows Registry Hive provides a valuable log of user generated information that can assist in an investigation. Depending on the type of investigation, you may find different parts of the registry hive to be beneficial. Therefore, if you are analyzing a Windows machine, take the time to review these hives – it may provide you with guidance and assistance in retracing user actions.
Reference Guide
If you would like a summary of this article, please check our reference guide for your review – Windows Registry Hive – Reference Guide
Reference
- Msdn.microsoft.com. (2019). Registry Hives (Windows). [online] Available at: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724877(v=vs.85).aspx [Accessed 24 March 2023].