FANDOM


The Windows registry is a database that stores configuration entries for recent Microsoft Operating Systems including Windows Mobile. This page is intended to capture registry entries that are of interest from a digital forensics point of view. There are a number of registry tools that assist with editing, monitoring and viewing the registry.

Registry locationsEdit

Windows NT, 2000, XP, and Server 2003Edit

The following Registry files are stored in %SystemRoot%\System32\Config\:

  • Sam - HKEY_LOCAL_MACHINE\SAM
  • Security - HKEY_LOCAL_MACHINE\SECURITY
  • Software - HKEY_LOCAL_MACHINE\SOFTWARE
  • System - HKEY_LOCAL_MACHINE\SYSTEM
  • Default - HKEY_USERS\.DEFAULT
  • Userdiff

The following file is stored in each user's profile folder:

  • NTUSER.DAT

Windows 95, 98, and MeEdit

The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows Me Classes.dat was added.

Windows 3.11Edit

The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.

Backup Registry locationsEdit

Windows NT, 2000, XP, and Server 2003Edit

The Registry is backed up on a successful install. The following backup Registry files are stored in %SystemRoot%\System32\Config\:

  • Sam.sav
  • Security.sav
  • Software.sav
  • System.sav
  • Default.sav

The Registry is also backed up as Restore Points. The following backup Registry files are stored in directories similar to the following:

C:\System Volume Information\_restore{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\RPXXX\Snapshot

You may get an "access denied" message when trying to look in the System Volume Information directory. Instructions are available on getting the required access.

The files saved in this directory are:

  • _REGISTRY_USER_.DEFAULT
  • _REGISTRY_MACHINE_SECURITY
  • _REGISTRY_MACHINE_SOFTWARE
  • _REGISTRY_MACHINE_SYSTEM
  • _REGISTRY_MACHINE_SAM

There are also files for each of the users on the machine based on their Security Identifier (SID):

  • _REGISTRY_USER_NTUSER_S-1-5-19
  • _REGISTRY_USER_USRCLASS_S-1-5-19

Windows 95, 98, and MeEdit

Windows 3.11Edit

Transaction LogsEdit

Windows NT, 2000, XP, and Server 2003Edit

The transaction log files are a record of changes made to the Registry since the system has been up. Changes made to the Registry are written to the log files first. The log file is reset when changes have been written to the Registry. If a system failure occurs before the information is written from the log then the log is applied to the Registry on the next boot.

The following Transaction Log files are stored in %SystemRoot%\System32\Config\:

  • Sam.log
  • Security.log
  • Software.log
  • System.log
  • Default.log
  • Userdiff.log
  • TempKey.log

The following file is stored in each user's profile folder:

  • NTUSER.DAT.log

Viewing registry entriesEdit

From the command line:

reg.exe QUERY HKLM\System\CurrentControlSet\Control\FileSystem

Useful entriesEdit

  • HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate

UtilitiesEdit

  • Registry tools useful in digital forensics
    • Regmon; part of the Sysinternals tools — A tool for detailed monitoring of applications that are accessing registry items
    • Process Monitor; part of the Sysinternals tools — Combines RegMon and FileMon and is the only Sysinternals tool for monitoring the registry in Windows Vista
    • jv16 PowerTools — An utility suite containing a registry cleaner, a registry monitor and a registry compactor.
    • Chntpw — An opensource offline Windows Registry/SAM editor that runs under Linux
    • ERD Commander — A bootable CD which includes an off-line registry editor for repairing Windows installations.
    • Win32Registry - Perl registry module allowing access from non-Windows Operating Systems


Smallwikipedialogo.png This page uses content from the English-language version of Wikipedia. The original article was at Windows registry. The list of authors can be seen in the page history. As with this Forensics Wiki, the text of Wikipedia is available under the GNU Free Documentation License.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.