Registry

Summary

Category

• HKEY_LOCAL_MACHINE: This key contains information about the system's hardware and installed programs, including details about device drivers, startup programs, services installed, and system settings etc.

• HKEY_CURRENT_USER: This key contains information about the user's specific settings and preferences, such as desktop background, applications executed, searched items, keyboard layout etc.

• HKEY_USERS: This key contains information about the users on the system, including their user profiles and settings.

• HKEY_CLASSES_ROOT: This key contains information about the file associations and COM classes on the system, which determine how different file types are opened and handled.

HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU) are critical registry keys, as they store most of the data valuable for forensic analysis.

Registry Hive

🔒 Location : C:\Windows\System32\Config\*

• DEFAULT Hive: This contains default settings for the operating system and applications, and is used as a template when a new user account is created.

• SYSTEM Hive: This contains settings for low-level system components, such as drivers and services.

• SAM (Security Accounts Manager) Hive: This contains information about user accounts on the local computer, including hashed versions of their passwords.

• SOFTWARE Hive: This contains information about the installed programs and their settings.

• SECURITY Hive: This contains security-related settings, such as access control information for system resources.

All hives, except DEFAULT, are linked to the HKEY_LOCAL_MACHINE key.

• NTUSER.DAT: This hive contains the registry settings for a specific user account on a Windows computer. This stores information about the user's personal settings, such as desktop background, start menu configuration, and application settings.

  • The NTUSER.DAT file is located in the user's profile folder, typically at C:\Users\{username} or %USERPROFILE%.

• USRCLASS.DAT: This hive contains the registry settings for applications that are installed for a specific user account on a Windows computer. This stores information about the user's installed programs and their settings.

  • UsrClass.dat is located at %USERPROFILE%\AppData\Local\Microsoft\Windows

Backups and Transaction Logs

🔒 Location : C:\Windows\System32\Config\RegBack

---

Artifacts

System, Users and Network Information

Artifacts include details about users, groups, system information (such as OS version and build number), network data (like active interfaces), and opened file shares.

Context	Location	Source
User Information	SAM\Domains\Account\Users	SAM
System Information	SYSTEM\ControlSet001 SYSTEM\CurrentControlSet SOFTWARE\Microsoft\Windows NT\CurrentVersion	SYSTEM, SOFTWARE
Network Information	SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList SYSTEM\CurrentControlSet\services\LanmanServer\Shares SYSTEM\CurrentControlSet\Services\Tcpip\Parameters SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces	SYSTEM, SOFTWARE

Shellbags

Shellbags are artifacts created when a user interacts with Windows File Explorer, storing folder states (size, position, contents). They also track paths to accessed network shares, removable devices, and zip file names, even if the folder(s) under the zipped files are not password protected.

Registry

• NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

• NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

• USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Tool

ShellbagExplorer

Shimcache

Shimcache, or the Application Compatibility Cache (AppCompatCache), records information about executable files run on the system, including the file's name, path, timestamp, and other relevant metadata. It also stores data about executables, whether they originate from the local system, network shares, or USB devices.

This feature ensures backward compatibility for older applications on newer versions of Windows. In earlier Windows versions (like 7/8), Shimcache only flagged whether a file was executed. However, in Windows 10, it not only tracks execution but also stores the names of executables visible in File Explorer.

If you have 20 executables in a directory and open it in File Explorer, but only 5 are visible due to the window size, Shimcache will record information for those 5 files, even if they weren't executed. If you later resize the window to show all 20 files, Shimcache will update to include all 20. This means Shimcache cannot definitively prove that an application was executed, as it may have only been browsed in File Explorer.

Shimcache stores:

1. Evidence of executable executions (Need to combine with Amcache)

2. Evidence of executable existence (If viewed from GUI. Listing the file names from CLI will not be populated in this registry key.)

🔒 Location: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache or SYSTEM\CurrentControlSet001\Control\Session Manager\AppCompatCache

Tool

AppCompatCacheParser

Timeline Explorer

Amcache

The Amcache hive on Windows systems stores key information about executed applications, such as the application path, file metadata (description, publisher), timestamps (creation, modification, deletion), and SHA-1 hashes. It is part of the Windows Application Compatibility Cache and helps track software installations and execution, including data from external sources like network shares and USB devices.

The Amcache hive is used by Windows to track changes to installed applications and improve system performance. When an application is installed or updated, details about the change are recorded in this hive, allowing Windows to quickly access information about installed applications without searching the entire system.

🔒 Location: C:\Windows\AppCompat\Programs\Amcache.hve

In Windows 7 and older versions, Amcache was named RecentFileCache and was located at: C:\Windows\AppCompat\Programs\recentfilecache.bcf

Difference Between Amcache and Shimcache

Amcache is considered more reliable evidence of execution compared to Shimcache. It stores additional data, such as the first execution timestamp, deletion timestamp (if the file was deleted), hash values of executables, and the application publisher name.

Tool

AmcacheParser

Timeline Explorer

Recent Files

This feature in Windows allows users to access their recently used applications.

🔓 Shortcut Location: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent

🔒 Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

The mentioned key stores information about opened files/applications, shortcut files, and the last accessed time. It’s important to note that this artifact tracks all files opened or modified, classifying it as evidence of access rather than execution. If a file is modified or renamed via the command line, it will be recorded in this registry key, even though the file wasn't executed, but simply modified.

👍 Filter on extension: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\{.extension}

Tool

Registry Explore

Dialogue Boxes MRU

A "Dialog Box MRU" (Most Recently Used) artifact records the file names, timestamps, and paths accessed or selected in a dialog box within a Microsoft Windows operating system. When a dialog box is opened, such as during a file upload, it displays a file explorer to select files. This artifact provides valuable insights into the user's recent activity, including files and folders accessed or modified, and their file paths.

🔒 Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMR and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

OpenSavePidlMRU

Whenever a file is opened, loaded, or saved through another application, a file explorer window prompts us to select the desired file. The file path of the opened, loaded, or saved file is stored in this key.

An important subkey under the OpenSavePidlMRU key is the "*" key. This subkey stores the most recent 10 entries from the Dialog Box MRU, tracking the last 10 file paths accessed or selected in dialog boxes.

LastVisitedPidlMRU

This key is a supporting artifact to the OpenSavePidlMRU key. It tracks the application executable responsible for opening or saving a file from the Windows Explorer prompt. Unlike the OpenSavePidlMRU, which stores the file path and name, this key stores the executable used to open/save the file, along with the path of the folder from where the file was accessed or saved.

Tool

Timeline Explorer

---

This knowledge has been compiled from resources provided by LetsDefend.