Windows Registry Forensics

Core Windows Registry Hives and Their Forensic Value

NTUSER.DAT	Value
Location	C:\Users\<username>\NTUSER.DAT
Loaded under	HKEY_USERS\<SID>
Forensic value	Tracks user-specific settings and activity.
Contains	UserAssist: Tracks program execution for apps with GUI components or app/LNK files launched via the Windows UI. RunMRU: Tracks program execution for commands run via Windows run dialog. OpenSaveMRU: Tracks files opened/saved via Windows Open/Save dialog. OfficeMRU: Tracks most recently used files for each Office app. Ex: Word, Excel, PowerPoint. LastVistedMRU: Tracks applications that have used the Windows Open/Save dialog, along with last location opened for each app. RecentDocs: Tracks recently accessed files and folders opened. Used to populate various “recent” tables in Windows. WordWheelQuery: Tracks an ordered list of search strings put into Windows File Explorer search box. TypedPaths: Tracks paths typed into File Explorer path bar directly by a user ShellBags: Includes UNC path based data. Can show evidence of users opening folders. MountPoints2: Tracks mounted USB and network shares. User-specific installed apps: Tracks what apps have been installed for the user instead of system-wide. User-specific Autorun entries: User-specific persistence in the Registry. Ex: Run/RunOnce keys.

UsrClass.dat	Value
Location	C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat
Loaded under	HKEY_USERS\<SID>_Classes
Forensic value	Mainly stores user-specific shell settings and mappings.
Contains	ShellBag: Tracks existence of folders and archive files. Includes UNC path-based data. Can show evidence of users opening folders. MUICache: Tracks program execution for apps with a GUI component.

SAM	Value
Location	C:\Windows\System32\Config\SAM
Loaded under	HKEY_LOCAL_MACHINE\SAM
Forensic value	Contains details about local user accounts and groups.
Contains	Local user account information: Ex: username, SID, creation date, last logon date, etc. Local groups and their members: Ex: Figure out who is a local admin. Local account password hashes: Used for offline password cracking.

SYSTEM	Value
Location	C:\Windows\System32\Config\SYSTEM
Loaded under	HKEY_LOCAL_MACHINE\SYSTEM
Forensic value	Tracks system config and USB/device usage.
Contains	ShimCache: Used to track app compatibility info. Can prove file existence and sometimes file execution Activity Moderator (BAM/DAM): Used to track apps that run in the background or are used during various low-power usage scenarios. Windows Services: Contains info on all installed Windows services, including system drivers. MountedDevices: Used to map drive letters to attached devices. Enum USB\USBSTOR: Used to get a list of attached USB device history: Vendor ID, product ID, serial#, first and last attached times. TCP/IP Interfaces: Lists out network interface details. Ex. Assigned IP, DNS address, default gateway, and DHCP lease time. System configuration details: Time zone, computer name, last shutdown time, network interfaces, and network history.

SOFTWARE	Value
Location	C:\Windows\System32\Config\SOFTWARE
Loaded under	HKEY_LOCAL_MACHINE\SOFTWARE
Forensic value	Lists installed software, system settings, and global auto-run entries.
Contains	System-wide installed applications: Contains info about currently installed apps installed system-wide. NetworkList: Lists connected network names along with first and last connection times. Scheduled Tasks: Tracks Window Task definitions commonly used for persistence and privilege escalation. Profilelist: Provides a mapping of user SIDs to profile directory location. OS Information: OS version, build numbers, product name, and install date. System-wide Autorun entries: Persistence in the registry. Ex: Run/RunOnce keys.

SECURITY	Value
Location	C:\Windows\System32\Config\SECURITY
Loaded under	HKEY_LOCAL_MACHINE\SECURITY
Forensic value	Contains security policies and auditing settings. Mainly used to understand what artifacts may not be available due to poor audit policies.
Contains	Local audit policy config: Details the current audit settings of the system to help better understand what data may be found in the event log. LSA secrets: Contains sensitive data such as cached domain credentials and service account passwords.

Amcache.hve	Value
Location	C:\Windows\AppCompat\Programs\Amcache.hve
Loaded under	Not part of the Windows Registry.
Forensic value	Tracks executable metadata and run history, even for deleted files.
Contains	Prove files existed on disk even after file deletion. Provides insight into installed applications, along with how the app was installed. SHA1 hash for PE files and drivers even after file deletion. Stores comprehensive metadata for PE files and DLLs like file size, SHA1, and PE header info like CompanyName, FileVersion, etc.