Registry Basics | Windows Forensics: The Field Guide for Corporate Computer Investigations

The Windows registry is a hierarchical database of configuration values stored in a proprietary file format. Within the files are an organized set of hives that form the building blocks of the registry. Under each hive is a list of keys. All keys have a name and may contain multiple name /value pairs and subkeys. All of the keys are located beneath one of five root hives:

HKEY_CLASSES_ROOT. Stores file association (associating file extensions with applications) and Microsoft Component Object Model (COM) information. This key is actually a pointer to HKEY_LOCAL_MACHINE\SOFTWARE\Classes. In Windows XP and 2003, this also contains information from HKEY_CURRENT_USER\ SOFTWARE\Classes.
HKEY_CURRENT_USER. Stores any user -specific information, including profile details, application usage information, and an individual's Internet activity details. This key and the HKEY_LOCAL_MACHINE key below are the two most important in an investigation. This key is actually a pointer to HKEY_USERS\SID, where SID is the unique security identifier for the currently logged-in user.
HKEY_LOCAL_MACHINE. Stores the hardware and software settings as well as the security settings for the system. This is one of the two most critical keys in a computer investigation.
HKEY_USERS. Stores all of the configuration information for all system users. The current user, pointed to by HKEY_CURRENT_USER, is generally (but not always) the most important in an investigation.
HKEY_CURRENT_CONFIG. Stores any information on the current hardware configuration. It is not frequently used in an investigation. The key is actually a pointer to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Hardware Profiles\ xxxx , with xxxx being one of the numeric profiles (whichever one is the current one) listed.

Note	A sixth hive, HKEY_DYN_DATA, is generated automatically in Windows 9 x and NT. This key contains dynamic data such as performance measures and is not generally analyzed as part of a computer investigation.

The registry is primarily accessed through the Windows Registry Editor program. You can access it by typing regedit from the command line. The Registry Editor provides several functions of interest in an investigation. Primarily, it enables the investigator to both browse and search the registry for information. Secondarily, the Registry Editor gives the investigator the ability to export registry information for external analysis. The Registry Editor is shown in Figure 6-1.

Figure 6-1: Windows Registry Editor

A better choice for viewing the Windows XP/Server 2003 registry is the Registry Viewer from the 2003 resource kit, available for download from the Microsoft website. For Windows 2000, the Regedt32 program (an alternative Registry Editor) has a read-only mode as well.

For command promptbased analysis, a second Windows NT tool is also useful: the Microsoft Console Registry Tool (CRT), accessible with the reg command. The CRT provides an investigator with the capability of querying and exporting registry key information using reg query and reg export , respectively. An example of the use of the CRT to query the Run key (used to automatically run programs at startup) and all of its subkeys and name/value pairs (the /s switch does this recursively) is as follows :

 C:\>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run     ccApp       REG_SZ  "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"     vptray      REG_SZ  C:\PROGRA~1\SYMANT~1\VPTray.exe     epgcfsiscpe REG_SZ  D:\WINDOWS\System32\jslfde.exe     Win Server Updt     REG_SZ  D:\WINDOWS\wupdt.exe     NeroFilterCheck     REG_SZ  D:\WINDOWS\system32\NeroCheck.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Optiona lComponents HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Optiona lComponents\IMAIL     Installed    REG_SZ  1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Optiona lComponents\MAPI     Installed    REG_SZ  1     NoChange     REG_SZ  1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Optiona lComponents\MSFS     Installed    REG_SZ  1

Another useful tool for analyzing a specific program for operational use is Regmon a real-time registry access monitor available from Sysinternals. Regmon is used to determine what keys are read from or written to. It is exceptionally useful in identifying specific registry keys that an individual application stored information in, such as recently used files, usage statistics, or installation times. It is also used for malicious code analysis to see where a virus or worm plants itself to start automatically. Figure 6-2 shows a screen-shot of an active Regmon session.

Figure 6-2: Registry activity viewed with Regmon

Microsoft protects registry keys through permissions (on the NT side), because they can contain personal user information as well as critical Windows security details (and dangerous settings that can drastically alter Windows behavior). An individual's hives under HKEY_USERS are protected for access by that user. Likewise, certain subkeys are even protected from administrator viewing (such as the SAM and SECURITY subkeys under the HKEY_LOCAL_MACHINE hive) by default. In a locked-down environment, permissions can be set for individual keys.

WINDOWS REGISTRY FILE LOCATIONS

The standard Windows registry file locations vary based on operating system. Additional versions of the registry that may contain legacy information prior to cleaning in the case of user-wiped registries may be present in several locations. The default registry files are located as follows:

Windows NT/2000/XP/2003

HKEY_CURRENT_USERLocated under the user's profile directory (Documents and Settings\Profilename\NTUser.dat on 2000/XP/2003 or %SYSTEMROOT%\profiles\Profilename\NTUser.dat on NT)
HKEY_CURRENT_CONFIGTaken from the HKEY_LOCAL_MACHINE\SYSTEM file
HKEY_CLASSES_ROOTTaken from the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE\SOFTWARE files
HKEY_LOCAL_MACHINE\
- HARDWAREA dynamic key built by Windows at startup
- SAM%SYSTEMROOT%\System32\Config\SAM
- SECURITY%SYSTEMROOT%\System32\Config\SECURITY
- SOFTWARE%SYSTEMROOT%\System32\Config\SOFTWARE
- SYSTEM%SYSTEMROOT%\System32\Config\SYSTEM
- HKEY_USERSBuilt from the individual user profile NTUser.dat files

Windows 9 x

HKEY_CURRENT_USER%SYSTEMROOT%\Profiles\Profilename\User.dat
HKEY_CURRENT_CONFIGTaken from System.dat
HKEY_CLASSES_ROOTTaken from System.dat
HKEY_LOCAL_MACHINE%SYSTEMROOT%\System.dat
HKEY_USERSBuilt from the individual user profile User.dat files
HKEY_DYN_DATAGenerated dynamically on system startup

In addition to the default file locations, the registry hive files or their data may be located in other areas. In addition to searching for hive files, the following are likely spots for the same information:

System.alt. On Windows NT and 2000 systems, the System.alt file is a backup of the system file and the associated hives. The System.alt file is located in the same directory as the standard files.
*.sav. On the initial system build, a copy of the raw registry file is created as a SAV file. While it may not contain information added to a system, it may provide other guidance (such as the version of the software installed, the install date/time). The SAV files are located in the same directory as the standard files.
%SYSTEMROOT%\Sysbckup\. Windows 9 x systems store backups of the registry files in CAB archives labeled rb00 n .cab, where n is the number of the backup. These can be extracted using the command extract /e rb00n.cab and copies of the registry at a specific period viewed.
%SYSTEMROOT%\Repair\. On NT-based systems, copies of the initial registry files are made to this directory upon initial system installation.
%SYSTEMROOT%\Repair\Regback. When an Emergency Repair Disk is created on NT-based systems, copies of the registry files are put in this directory. They are too large to fit on a disk.
C:\System Volume Information\restore_{xxx-xxx}\RPnn\. Under Windows XP and later systems, any system restore points may have registry information. Search under the various _restore directories and associated RPnn directories for files labeled:
- _REGISTRY_USER_.DEFAULT
- _REGISTRY_MACHINE_SECURITY
- _REGISTRY_MACHINE_SOFTWARE
- _REGISTRY_MACHINE_SYSTEM
- _REGISTRY_MACHINE_SAM

Each of these files can be restored to the respective registry file by renaming the file to correspond with the original name (for example, _REGISTRY_MACHINE_SYSTEM becomes SYSTEM).