Windows Registry Forensics

Core Windows Registry Hives and Their Forensic Value

NTUSER.DAT

Value

Location

Loaded under

Forensic value

Tracks user-specific settings and activity.

Contains

UserAssist: Tracks program execution for apps with GUI components or app/LNK files launched via the Windows UI.
RunMRU: Tracks program execution for commands run via Windows run dialog.
OpenSaveMRU: Tracks files opened/saved via Windows Open/Save dialog.
OfficeMRU: Tracks most recently used files for each Office app. Ex: Word, Excel, PowerPoint.
LastVistedMRU: Tracks applications that have used the Windows Open/Save dialog, along with last location opened for each app.
RecentDocs: Tracks recently accessed files and folders opened. Used to populate various “recent” tables in Windows.
WordWheelQuery: Tracks an ordered list of search strings put into Windows File Explorer search box.
TypedPaths: Tracks paths typed into File Explorer path bar directly by a user
ShellBags: Includes UNC path based data. Can show evidence of users opening folders.
MountPoints2: Tracks mounted USB and network shares.
User-specific installed apps: Tracks what apps have been installed for the user instead of system-wide.
User-specific Autorun entries: User-specific persistence in the Registry. Ex: Run/RunOnce keys.

UsrClass.dat

Value

Location

Loaded under

Forensic value

Mainly stores user-specific shell settings and mappings.

Contains

ShellBag: Tracks existence of folders and archive files. Includes UNC path-based data. Can show evidence of users opening folders.
MUICache: Tracks program execution for apps with a GUI component.

SAM

Value

Location

Loaded under

Forensic value

Contains details about local user accounts and groups.

Contains

Local user account information: Ex: username, SID, creation date, last logon date, etc.
Local groups and their members: Ex: Figure out who is a local admin.
Local account password hashes: Used for offline password cracking.

SYSTEM

Value

Location

Loaded under

Forensic value

Tracks system config and USB/device usage.

Contains

ShimCache: Used to track app compatibility info. Can prove file existence and sometimes file execution

Activity Moderator (BAM/DAM): Used to track apps that run in the background or are used during various low-power usage scenarios.
Windows Services: Contains info on all installed Windows services, including system drivers.
MountedDevices: Used to map drive letters to attached devices.
Enum USB\USBSTOR: Used to get a list of attached USB device history: Vendor ID, product ID, serial#, first and last attached times.
TCP/IP Interfaces: Lists out network interface details. Ex. Assigned IP, DNS address, default gateway, and DHCP lease time.
System configuration details: Time zone, computer name, last shutdown time, network interfaces, and network history.

SOFTWARE

Value

Location

Loaded under

Forensic value

Lists installed software, system settings, and global auto-run entries.

Contains

System-wide installed applications: Contains info about currently installed apps installed system-wide.
NetworkList: Lists connected network names along with first and last connection times.
Scheduled Tasks: Tracks Window Task definitions commonly used for persistence and privilege escalation.
Profilelist: Provides a mapping of user SIDs to profile directory location.
OS Information: OS version, build numbers, product name, and install date.
System-wide Autorun entries: Persistence in the registry. Ex: Run/RunOnce keys.

SECURITY

Value

Location

Loaded under

Forensic value

Contains security policies and auditing settings. Mainly used to understand what artifacts may not be available due to poor audit policies.

Contains

Local audit policy config: Details the current audit settings of the system to help better understand what data may be found in the event log.
LSA secrets: Contains sensitive data such as cached domain credentials and service account passwords.

Amcache.hve

Value

Location

Loaded under

Not part of the Windows Registry.

Forensic value

Tracks executable metadata and run history, even for deleted files.

Contains

Prove files existed on disk even after file deletion.
Provides insight into installed applications, along with how the app was installed.
SHA1 hash for PE files and drivers even after file deletion.
Stores comprehensive metadata for PE files and DLLs like file size, SHA1, and PE header info like CompanyName, FileVersion, etc.

Previous70 Vital Windows Commands NextGuide to Installing Kali Linux, DVWA, and bWAPP

Last updated 11 days ago

Was this helpful?

Windows Registry Forensics

Core Windows Registry Hives and Their Forensic Value

NTUSER.DAT

Value

Location

C:\Users\<username>\NTUSER.DAT

Loaded under

HKEY_USERS\<SID>

Forensic value

Tracks user-specific settings and activity.

Contains

UserAssist: Tracks program execution for apps with GUI components or app/LNK files launched via the Windows UI.
RunMRU: Tracks program execution for commands run via Windows run dialog.
OpenSaveMRU: Tracks files opened/saved via Windows Open/Save dialog.
OfficeMRU: Tracks most recently used files for each Office app. Ex: Word, Excel, PowerPoint.
LastVistedMRU: Tracks applications that have used the Windows Open/Save dialog, along with last location opened for each app.
RecentDocs: Tracks recently accessed files and folders opened. Used to populate various “recent” tables in Windows.
WordWheelQuery: Tracks an ordered list of search strings put into Windows File Explorer search box.
TypedPaths: Tracks paths typed into File Explorer path bar directly by a user
ShellBags: Includes UNC path based data. Can show evidence of users opening folders.
MountPoints2: Tracks mounted USB and network shares.
User-specific installed apps: Tracks what apps have been installed for the user instead of system-wide.
User-specific Autorun entries: User-specific persistence in the Registry. Ex: Run/RunOnce keys.

UsrClass.dat

Value

Location

C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Loaded under

HKEY_USERS\<SID>_Classes

Forensic value

Mainly stores user-specific shell settings and mappings.

Contains

ShellBag: Tracks existence of folders and archive files. Includes UNC path-based data. Can show evidence of users opening folders.
MUICache: Tracks program execution for apps with a GUI component.

SAM

Value

Location

C:\Windows\System32\Config\SAM

Loaded under

HKEY_LOCAL_MACHINE\SAM

Forensic value

Contains details about local user accounts and groups.

Contains

Local user account information: Ex: username, SID, creation date, last logon date, etc.
Local groups and their members: Ex: Figure out who is a local admin.
Local account password hashes: Used for offline password cracking.

SYSTEM

Value

Location

C:\Windows\System32\Config\SYSTEM

Loaded under

HKEY_LOCAL_MACHINE\SYSTEM

Forensic value

Tracks system config and USB/device usage.

Contains

ShimCache: Used to track app compatibility info. Can prove file existence and sometimes file execution

Activity Moderator (BAM/DAM): Used to track apps that run in the background or are used during various low-power usage scenarios.
Windows Services: Contains info on all installed Windows services, including system drivers.
MountedDevices: Used to map drive letters to attached devices.
Enum USB\USBSTOR: Used to get a list of attached USB device history: Vendor ID, product ID, serial#, first and last attached times.
TCP/IP Interfaces: Lists out network interface details. Ex. Assigned IP, DNS address, default gateway, and DHCP lease time.
System configuration details: Time zone, computer name, last shutdown time, network interfaces, and network history.

SOFTWARE

Value

Location

C:\Windows\System32\Config\SOFTWARE

Loaded under

HKEY_LOCAL_MACHINE\SOFTWARE

Forensic value

Lists installed software, system settings, and global auto-run entries.

Contains

System-wide installed applications: Contains info about currently installed apps installed system-wide.
NetworkList: Lists connected network names along with first and last connection times.
Scheduled Tasks: Tracks Window Task definitions commonly used for persistence and privilege escalation.
Profilelist: Provides a mapping of user SIDs to profile directory location.
OS Information: OS version, build numbers, product name, and install date.
System-wide Autorun entries: Persistence in the registry. Ex: Run/RunOnce keys.

SECURITY

Value

Location

C:\Windows\System32\Config\SECURITY

Loaded under

HKEY_LOCAL_MACHINE\SECURITY

Forensic value

Contains security policies and auditing settings. Mainly used to understand what artifacts may not be available due to poor audit policies.

Contains

Local audit policy config: Details the current audit settings of the system to help better understand what data may be found in the event log.
LSA secrets: Contains sensitive data such as cached domain credentials and service account passwords.

Amcache.hve

Value

Location

C:\Windows\AppCompat\Programs\Amcache.hve

Loaded under

Not part of the Windows Registry.

Forensic value

Tracks executable metadata and run history, even for deleted files.

Contains

Prove files existed on disk even after file deletion.
Provides insight into installed applications, along with how the app was installed.
SHA1 hash for PE files and drivers even after file deletion.
Stores comprehensive metadata for PE files and DLLs like file size, SHA1, and PE header info like CompanyName, FileVersion, etc.

Previous70 Vital Windows Commands NextGuide to Installing Kali Linux, DVWA, and bWAPP

Last updated 11 days ago

Was this helpful?