The Windows Registry plays a critical role in a forensic investigation. It is a central repository for system settings, user preferences, and other critical information related to the Windows OS. 

The Windows Registry stores information that can be used in an investigation. It stores information about installed software, user accounts, network configurations, file associations, and system settings. You can also locate recently accessed files by users, application usage history, and user login and logout data. Plus, the registry also contains information about hardware! 

The Windows Registry is a hierarchical database that stores configuration settings and options for the Windows OS. The information is organized by keys, subkeys, and values, resembling a tree-link structure. Each key can contain subkeys, which may contain even more subkeys or a value. Each value entry holds data related to the system configuration, software settings, user preferences, or hardware information. 

Also, the Windows Registry is divided into five hives. A hive is a logical grouping or a container of keys, subkeys, and values that refers to a specific part of the Windows Registry.  A brief explanation of each hive is below. Also, take note of the abbreviation as this is how hives are commonly referenced.

1. HKEY_CLASSES_ROOT (HKCR): This folder contains file extension associations and other information related to file types and the execution of applications/programs.

2. HKEY_CURRENT_USER (HKCU): This key stores settings and configurations specific to the currently logged-in user, such as desktop settings, application preferences, and environment variables.

3. HKEY_LOCAL_MACHINE (HKLM): Holds configuration data that applies to all users on the computer, including hardware settings, software settings, and system-wide preferences.

4. HKEY_USERS (HKU): This key contains subkeys corresponding to user profiles on the system, each storing settings and configurations for individual users.

5. HKEY_CURRENT_CONFIG (HKCC): This provides a view of the system's current hardware profile. It is also a shortcut to the HKLM hive.

In the Windows Registry, keys and subkeys appear as folders. A value can be one of the following:

• Reg_Dword (Numbers)

  • Hexadecimal (decimal)

  • 0x0000001 (1)

  • True =1 False =0

• Reg_SZ (String)

  • Stores strings (paths to files, etc.)

  • Can be encrypted

There are several ways to do a registry analysis.  One of the methods is to use regedit.exe or reg.exe. These are both native tools, but also need to be used with caution. Another method is to use the Windows PowerShell.  

A method to better understand what happens in the Windows Registry when changes are made to the Windows OS is to observe changes to the registry while you are interacting with the system. You can do this by creating a registry dump, making a change, creating a new registry dump, and then comparing the two. This will help you learn more about the registry and how simple changes have a big impact. 

There are also other tools that you can use that can help you gain more insight:

• Process Monitor: This is a tool provided by Microsoft that provides real-time registry activity.

• RegistryChangeView: A tool for Windows that allows you to take a snapshot of the registry and compare it to another snapshot.

• Recall that some commercial software will contain registry analysis tools

When analyzing the Windows Registry, it does contain a last modified time-stamp. This is stored as a FILETIME structure and can be viewed using specialized utilities like RegScanner by NirSoft.

This depends on the installed software, but below are some items you might encounter while looking in a registry. Depending on the version of Windows, this can change.

• Windows Insallation Date: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

• Last logged-on user: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser

• Windows OS Product Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\BackupProductKeyDeafult

• USB Device History: 

  • HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\USBSTOR

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

• Registered Owner: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner

• Programs run automatically: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• Last Shutdown: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\Windows\ShutdownTime

• Timezone Information: Time Zone Information: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\Windows\TimeZoneInformation

• Wireless SSIDs: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\NetworkList\Nla\Wireless 

• Recent Documents: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 

• UserAssist: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

  • Application usage and number of times an application has been launched. 

• Run and RunOnce Keys: 

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • Path to programs configured to start at system start-up Could be evidence of malware or other unauthorized software.

• User Account Information: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

  • This contains username information, user IDs, password hashes

• Network Configuration: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  • IP address, DNS settings, and network adapter information

I suggest starting up your Windows VM and exploring these values! 

To learn more about registry values, view the Google Sheet below.