Skip to content

Windows registry

Terminology

Hive

According to 1

A hive is a logical group of keys, subkeys, and values in the Windows Registry that has a set of supporting files containing backups of its data.

However in common usage the term hive often does not imply the supporting files.

According to 2 the origin of the term is bee hives.

File Locations

The Windows Registry is stored in multiple files.

Windows NT 4

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (regf) format.

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

Windows 9x/ME

In Windows 95, 98, Me the Registry is stored in the Windows 9x Registry File (creg) format.

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Special cases

The Windows Registry has several special case scenarios, mainly concerning key and value name, that are easy to fail to account for:

  • special characters in key and value names
  • duplicate key and value names
  • the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
  • unreconciled data

Special characters in key and value names

Both key and values names are case insensitive. The \ character is used as the key separator. Note that the \ character can be used in value names. The / character is used in both key and value names. Some examples of which are:

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large

Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0

Key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
Value: SchemaFile

Also, null bytes may be present in key values in order to hide data 3.

Codepaged ASCII strings

Value with name "ëigenaardig" created on Windows XP codepage 1252.

value key data:
00000000: 76 6b 0b 00 46 00 00 00  20 98 1a 00 01 00 00 00   vk..F...  .......
00000010: 01 00 69 6e eb 69 67 65  6e 61 61 72 64 69 67 00   ..in.ige naardig.
00000020: 55 4e 49 43                                        UNIC

value key signature                     : vk
value key value name size               : 11
value key data size                     : 0x00000046 (70)
value key data offset                   : 0x001a9820
value key data type                     : 1 (REG_SZ) String
value key flags                         : 0x0001
        Value name is an ASCII string

value key unknown1                      : 0x6e69 (28265)
value key value name                    : ëigenaardig
value key value name hash               : 0xb78835ee
value key padding:
00000000: 00 55 4e 49 43                                     .UNIC

As you can see the name is stored in extended ASCII (ANSI) using codepage 1252.

Unreconciled data

Starting from Windows 8.1 and Windows Server 2012 R2, a new implementation of the hive flusher was introduced in kernel. This implementation attempts to radically reduce the number of disk writes on a mounted hive: in particular, a flush operation on a hive will store modified (dirty) data in a transaction log file, but hive bins in a primary file (also known as a normal or data file) will be intact. A kernel will sync a primary file after one of the following conditions has occurred:

  • an hour has elapsed since the latest write to a primary file;
  • a power management subsystem reports that all users (local and remote) are inactive;
  • the operating system is shutting down (hive is unloading).

In order to correctly handle unreconciled data (e.g. when dealing with an image taken from a live system), one needs to parse transaction log files along with primary files.

Persistence keys

The following lists are loosely based of:

Note that in the lists below HKEY_CURRENT_USER is a subset of HKEY_USERS

Command Processor (cmd.exe)

Description

Command Processor Auto Run

Artifact name

WindowsCommandProcessorAutoRun

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Microsoft\Command Processor
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Command Processor

Value name(s)

AutoRun

Additional information

[https://technet.microsoft.com/en-us/library/cc779439(v=ws.10).aspx Command Processor\AutoRun]

Debugging

Description

Automatic debugging

Artifact name

WindowsAutomaticDebugging

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

Value name(s)

Debugger

Additional information

[https://msdn.microsoft.com/en-us/library/windows/desktop/bb204634(v=vs.85).aspx Configuring Automatic Debugging]

Internet Explorer

Description

Browser Helper Objects

Artifact name

InternetExplorerBrowserHelperObjects

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*

Value name(s)

*

Additional information

Local Security Authority (LSA)

Description

Local Security Authority (LSA) Authentication Packages

Artifact name

WindowsLSAAuthenticationPackages

Key path(s)

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig

Value name(s)

Authentication Packages

Additional information

Description

Local Security Authority (LSA) Notification Packages

Artifact name

WindowsLSANotificationPackages

Key path(s)

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig

Value name(s)

Notification Packages

Additional information

Description

Local Security Authority (LSA) Security Packages

Artifact name

WindowsLSASecurityPackages

Key path(s)

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig

Value name(s)

Security Packages

Additional information

Run keys

Description

Run keys

Artifact name

WindowsRunKeys

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\*

Value name(s)

*

Additional information

Description

Run services keys

Artifact name

WindowsRunServices

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\*

Value name(s)

*

Additional information

Session Manager

Description

Session Manager Execute

Artifact name

  • WindowsSessionManagerBootExecute
  • WindowsSessionManagerExecute
  • WindowsSessionManagerSetupExecute

Key path(s)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Value name(s)

  • BootExecute
  • Execute
  • SetupExecute

Additional information

Description

Windows Session Manager Windows-on-Windows (WOW) command line

Artifact name

WindowsSessionManagerWOWCommandLine

Key path(s)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\WOW

Value name(s)

  • cmdline
  • wowcmdline

Additional information

Service Control Manager

Description Service Control Manager extension
Artifact name WindowsServiceControlManagerExtension
Key path(s) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
Value name(s) ServiceControlManagerExtension
Additional information

Windows shell (explorer.exe)

Description

Shell Icon Overlay Identifiers

Artifact name

WindowsShellIconOverlayIdentifiers

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*

Value name(s)

*

Additional information

Description

Shell Extensions

Artifact name

WindowsShellExtensions

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Value name(s)

*

Additional information

Description

Shell Execute Hooks

Artifact name

WindowsShellExecuteHooks

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*

Value name(s)

*

Additional information

Description

Shell Load and Run

Artifact name

WindowsShellLoadAndRun

Key path(s)

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

Value name(s)

  • Load
  • Run

Additional information

Description

Shell Service Object Delay Load

Artifact name

WindowsShellServiceObjects

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value name(s)

*

Additional information

TrojanClicker:Win32/Zirit.X

Winlogon and Credential Providers

Description

Credential Provider Filters

Artifact name

WindowsCredentialProviderFilters

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\*

Value name(s)

*

Additional information

Capturing Windows 7 Credential at logon using custom credential provider

Description

Credential Providers

Artifact name

WindowsCredentialProviders

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\*

Value name(s)

*

Additional information

Capturing Windows 7 Credential at logon using custom credential provider

Description

Pre-Logon Access Provider (PLAP) Providers

Artifact name

WindowsPLAPProviders

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\*

Value name(s)

*

Additional information

Description

Winlogon Gina DLL

Artifact name

WindowsWinlogonShell

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name(s)

GinaDLL

Additional information

Description

Winlogon Notify

Artifact name

WindowsWinlogonNotify

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*

Value name(s)

DLLName

Additional information

Description

Winlogon Shell

Artifact name

WindowsWinlogonShell

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name(s)

Shell

Additional information

Description

Winlogon System

Artifact name

WindowsWinlogonSystem

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name(s)

System

Additional information

Description

Winlogon Taksman

Artifact name

WindowsWinlogonTaksman

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name(s)

Taksman

Additional information

Description

Winlogon Userinit

Artifact name

WindowsWinlogonUserinit

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name(s)

Userinit

Additional information

Description

Winlogon VMApplet

Artifact name

WindowsWinlogonVMApplet

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • HKEY_USERS\%SID%\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name(s)

VMApplet

Additional information

Policy

Description

Windows System Policy replacement shell

Artifact name

WindowsSystemPolicyShell

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System

Value name(s)

Shell

Additional information

Unsorted

Description

Active Setup - Installed Components

Artifact name

WindowsStubPaths

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
  • HKEY_USERS\%SID%\Software\Microsoft\Active Setup\Installed Components
  • HKEY_USERS\%SID%\Software\Wow6432Node\Microsoft\Active Setup\Installed Components

Value name(s)

StubPath

Additional information

Description

Application Initial (AppInit) DLLs persistence

Artifact name

WindowsAppInitDLLs

Key path(s)

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

Value name(s)

AppInit_DLLs

Additional information

Description

Security Providers

Artifact name

WindowsSecurityProviders

Key path(s)

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\*

Value name(s)

*

Additional information

Description

Alternate shell

Artifact name

WindowsAlternateShell

Key path(s)

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot

Value name(s)

AlternateShell

Additional information

Description

Boot verification program

Artifact name

WindowsBootVerificationProgram

Key path(s)

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram

Value name(s)

ImagePath

Additional information

Bibliography

Undated

Also see

Windows 32-bit on Windows 64-bit (WoW64)

Cached Credentials

Mounted Devices

Persistence keys

User Assist

Tools

Open Source

  • Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M\$ registry hive editor" by Daniel Gillen
  • libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry Perl module.
  • python-registry Python module.
  • Registry Decoder offline analysis component, by Andrew Case
  • RegDecoderLive live hive acquisition component, by Andrew Case
  • libregf - Library and tools to access the Windows NT Registry File (REGF) format
  • Registryasxml - Tool to import/export registry sections as XML
  • kregedit - a KDE utility for viewing and editing registry files.
  • ntreg a file system driver for linux, which understands the NT registry file format.
  • Registry Full featured, offline Registry hive parser written in C#. Supports deleted item recovery, full searching, and more by @EricZimmerman

Freeware

  • Registry Explorer Registry Explorer and RECmd allow unrivaled access to Registry hives and contain bookmarks for common registry keys by @EricZimmerman

Commercial