Windows registry entries

The Windows registry is a database that stores configuration entries for recent Microsoft Operating Systems including Windows Mobile. This page is intended to capture registry entries that are of interest from a digital forensics point of view. There are a number of registry tools that assist with editing, monitoring and viewing the registry.

Windows NT, 2000, XP, and Server 2003
nThe following Registry files are stored in %SystemRoot%\System32\Config\:
 * Sam - HKEY_LOCAL_MACHINE\SAM
 * Security - HKEY_LOCAL_MACHINE\SECURITY
 * Software - HKEY_LOCAL_MACHINE\SOFTWARE
 * System - HKEY_LOCAL_MACHINE\SYSTEM
 * Default - HKEY_USERS\.DEFAULT
 * Userdiff

The following file is stored in each user's profile folder:
 * NTUSER.DAT

Windows 95, 98, and Me
The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows Me Classes.dat was added.

Windows 3.11
The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.

Windows NT, 2000, XP, and Server 2003
The Registry is backed up on a successful install. The following backup Registry files are stored in %SystemRoot%\System32\Config\:
 * Sam.sav
 * Security.sav
 * Software.sav
 * System.sav
 * Default.sav

The Registry is also backed up as Restore Points. The following backup Registry files are stored in directories similar to the following:

C:\System Volume Information\_restore{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\RPXXX\Snapshot

You may get an "access denied" message when trying to look in the System Volume Information directory. Instructions are available on getting the required access.

The files saved in this directory are:
 * _REGISTRY_USER_.DEFAULT
 * _REGISTRY_MACHINE_SECURITY
 * _REGISTRY_MACHINE_SOFTWARE
 * _REGISTRY_MACHINE_SYSTEM
 * _REGISTRY_MACHINE_SAM

There are also files for each of the users on the machine based on their Security Identifier (SID):
 * _REGISTRY_USER_NTUSER_S-1-5-19
 * _REGISTRY_USER_USRCLASS_S-1-5-19

Windows NT, 2000, XP, and Server 2003
The transaction log files are a record of changes made to the Registry since the system has been up. Changes made to the Registry are written to the log files first. The log file is reset when changes have been written to the Registry. If a system failure occurs before the information is written from the log then the log is applied to the Registry on the next boot.

The following Transaction Log files are stored in %SystemRoot%\System32\Config\:
 * Sam.log
 * Security.log
 * Software.log
 * System.log
 * Default.log
 * Userdiff.log
 * TempKey.log

The following file is stored in each user's profile folder:
 * NTUSER.DAT.log

Viewing registry entries
From the command line:

reg.exe QUERY HKLM\System\CurrentControlSet\Control\FileSystem

Useful entries

 * HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate

Utilities

 * Registry tools useful in digital forensics
 * Regmon; part of the Sysinternals tools — A tool for detailed monitoring of applications that are accessing registry items
 * Process Monitor; part of the Sysinternals tools — Combines RegMon and FileMon and is the only Sysinternals tool for monitoring the registry in Windows Vista
 * jv16 PowerTools — An utility suite containing a registry cleaner, a registry monitor and a registry compactor.
 * Chntpw — An opensource offline Windows Registry/SAM editor that runs under Linux
 * ERD Commander — A bootable CD which includes an off-line registry editor for repairing Windows installations.
 * Win32Registry - Perl registry module allowing access from non-Windows Operating Systems