The Windows registry is a database that stores configuration entries for recent Microsoft Operating Systems including Windows Mobile. This page is intended to capture registry entries that are of interest from a digital forensics point of view. There are a number of registry tools that assist with editing, monitoring and viewing the registry.
Registry locations[]
Windows NT, 2000, XP, and Server 2003[]
nThe following Registry files are stored in %SystemRoot%\System32\Config\:
- Sam - HKEY_LOCAL_MACHINE\SAM
- Security - HKEY_LOCAL_MACHINE\SECURITY
- Software - HKEY_LOCAL_MACHINE\SOFTWARE
- System - HKEY_LOCAL_MACHINE\SYSTEM
- Default - HKEY_USERS\.DEFAULT
- Userdiff
The following file is stored in each user's profile folder:
- NTUSER.DAT
Windows 95, 98, and Me[]
The registry files are named User.dat and System.dat and are stored in the C:\WINDOWS\ directory. In Windows Me Classes.dat was added.
Windows 3.11[]
The registry file is called Reg.dat and is stored in the C:\WINDOWS\ directory.
Backup Registry locations[]
Windows NT, 2000, XP, and Server 2003[]
The Registry is backed up on a successful install. The following backup Registry files are stored in %SystemRoot%\System32\Config\:
- Sam.sav
- Security.sav
- Software.sav
- System.sav
- Default.sav
The Registry is also backed up as Restore Points. The following backup Registry files are stored in directories similar to the following:
C:\System Volume Information\_restore{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\RPXXX\Snapshot
You may get an "access denied" message when trying to look in the System Volume Information directory. Instructions are available on getting the required access.
The files saved in this directory are:
- _REGISTRY_USER_.DEFAULT
- _REGISTRY_MACHINE_SECURITY
- _REGISTRY_MACHINE_SOFTWARE
- _REGISTRY_MACHINE_SYSTEM
- _REGISTRY_MACHINE_SAM
There are also files for each of the users on the machine based on their Security Identifier (SID):
- _REGISTRY_USER_NTUSER_S-1-5-19
- _REGISTRY_USER_USRCLASS_S-1-5-19
Windows 95, 98, and Me[]
Windows 3.11[]
Transaction Logs[]
Windows NT, 2000, XP, and Server 2003[]
The transaction log files are a record of changes made to the Registry since the system has been up. Changes made to the Registry are written to the log files first. The log file is reset when changes have been written to the Registry. If a system failure occurs before the information is written from the log then the log is applied to the Registry on the next boot.
The following Transaction Log files are stored in %SystemRoot%\System32\Config\:
- Sam.log
- Security.log
- Software.log
- System.log
- Default.log
- Userdiff.log
- TempKey.log
The following file is stored in each user's profile folder:
- NTUSER.DAT.log
Viewing registry entries[]
From the command line:
reg.exe QUERY HKLM\System\CurrentControlSet\Control\FileSystem
Useful entries[]
- HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
Utilities[]
- Registry tools useful in digital forensics
- Regmon; part of the Sysinternals tools — A tool for detailed monitoring of applications that are accessing registry items
- Process Monitor; part of the Sysinternals tools — Combines RegMon and FileMon and is the only Sysinternals tool for monitoring the registry in Windows Vista
- jv16 PowerTools — An utility suite containing a registry cleaner, a registry monitor and a registry compactor.
- Chntpw — An opensource offline Windows Registry/SAM editor that runs under Linux
- ERD Commander — A bootable CD which includes an off-line registry editor for repairing Windows installations.
- Win32Registry - Perl registry module allowing access from non-Windows Operating Systems
This page uses content from the English-language version of Wikipedia. The original article was at Windows registry. The list of authors can be seen in the page history. As with this Forensics Wiki, the text of Wikipedia is available under the GNU Free Documentation License. |