# Registry

## Summary

### Category

* **HKEY\_LOCAL\_MACHINE:** This key contains information about the system's hardware and installed programs, including details about device drivers, startup programs, services installed, and system settings etc.
* **HKEY\_CURRENT\_USER:** This key contains information about the user's specific settings and preferences, such as desktop background, applications executed, searched items, keyboard layout etc.
* **HKEY\_USERS:** This key contains information about the users on the system, including their user profiles and settings.
*  **HKEY\_CLASSES\_ROOT:** This key contains information about the file associations and COM classes on the system, which determine how different file types are opened and handled.

**HKEY\_LOCAL\_MACHINE (HKLM)** and **HKEY\_CURRENT\_USER (HKCU)** are critical registry keys, as they store most of the data valuable for forensic analysis.

### Registry Hive

:lock: Location : `C:\Windows\System32\Config\*`

*  **DEFAULT Hive:** This contains default settings for the operating system and applications, and is used as a template when a new user account is created.
* **SYSTEM Hive:** This contains settings for low-level system components, such as drivers and services.
* **SAM (Security Accounts Manager) Hive:** This contains information about user accounts on the local computer, including hashed versions of their passwords.
* **SOFTWARE Hive:** This contains information about the installed programs and their settings.
* **SECURITY Hive:** This contains security-related settings, such as access control information for system resources.

All hives, except **DEFAULT**, are linked to the **HKEY\_LOCAL\_MACHINE** key. 

* **NTUSER.DAT:** This hive contains the registry settings for a specific user account on a Windows computer. This stores information about the user's personal settings, such as desktop background, start menu configuration, and application settings.
  *  The **NTUSER.DAT** file is located in the user's profile folder, typically at `C:\Users\{username}` or `%USERPROFILE%`.
* **USRCLASS.DAT:** This hive contains the registry settings for applications that are installed for a specific user account on a Windows computer. This stores information about the user's installed programs and their settings. 
  * **UsrClass.dat** is located at `%USERPROFILE%\AppData\Local\Microsoft\Windows`

### Backups and Transaction Logs

:lock: Location : `C:\Windows\System32\Config\RegBack`

***

## Artifacts

### System, Users and Network Information

Artifacts include details about users, groups, system information (such as OS version and build number), network data (like active interfaces), and opened file shares.

<table><thead><tr><th width="197">Context</th><th width="391">Location</th><th>Source</th></tr></thead><tbody><tr><td>User Information </td><td><ul><li><code>SAM\Domains\Account\Users</code></li></ul></td><td>SAM</td></tr><tr><td>System Information</td><td><ul><li><code>SYSTEM\ControlSet001</code></li><li><code>SYSTEM\CurrentControlSet</code></li><li><code>SOFTWARE\Microsoft\Windows NT\CurrentVersion</code></li></ul></td><td>SYSTEM, SOFTWARE</td></tr><tr><td>Network Information</td><td><ul><li><code>SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList</code></li><li><code>SYSTEM\CurrentControlSet\services\LanmanServer\Shares</code></li><li><code>SYSTEM\CurrentControlSet\Services\Tcpip\Parameters</code></li><li><code>SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</code></li></ul></td><td>SYSTEM, SOFTWARE</td></tr></tbody></table>

### Shellbags

Shellbags are artifacts created when a user interacts with Windows File Explorer, storing folder states (size, position, contents). They also track paths to accessed network shares, removable devices, and zip file names, even if the folder(s) under the zipped files are not password protected.

#### Registry

* NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
* NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
* USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags
* USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

<details>

<summary>Tool</summary>

ShellbagExplorer

</details>

### Shimcache

**Shimcache**, or the **Application Compatibility Cache (AppCompatCache)**, records information about executable files run on the system, including the file's name, path, timestamp, and other relevant metadata. It also stores data about executables, whether they originate from the local system, network shares, or USB devices.

> This feature ensures backward compatibility for older applications on newer versions of Windows. In earlier Windows versions (like 7/8), Shimcache only flagged whether a file was executed. However, in Windows 10, it not only tracks execution but also stores the names of executables visible in File Explorer.

{% hint style="warning" %}
If you have 20 executables in a directory and open it in File Explorer, but only 5 are visible due to the window size, Shimcache will record information for those 5 files, even if they weren't executed. If you later resize the window to show all 20 files, Shimcache will update to include all 20. This means Shimcache cannot definitively prove that an application was executed, as it may have only been browsed in File Explorer.
{% endhint %}

Shimcache stores:

1. &#x20;Evidence of executable executions (Need to combine with Amcache)
2. &#x20;Evidence of executable existence (If viewed from GUI. Listing the file names from CLI will not be populated in this registry key.)

:lock: Location: `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` or  `SYSTEM\CurrentControlSet001\Control\Session Manager\AppCompatCache`

<details>

<summary>Tool</summary>

AppCompatCacheParser

Timeline Explorer

</details>

### Amcache

The **Amcache** hive on Windows systems stores key information about executed applications, such as the application path, file metadata (description, publisher), timestamps (creation, modification, deletion), and SHA-1 hashes. It is part of the Windows Application Compatibility Cache and helps track software installations and execution, including data from external sources like network shares and USB devices.&#x20;

> The **Amcache** hive is used by Windows to track changes to installed applications and improve system performance. When an application is installed or updated, details about the change are recorded in this hive, allowing Windows to quickly access information about installed applications without searching the entire system.

:lock: Location: `C:\Windows\AppCompat\Programs\Amcache.hve`

Evidence of execution is located: `AMCACHE{GUID}\Root\InventoryApplicationFile`

Evidence of malicious drivers is located: `AMCACHE{GUID}\Root\InventoryDriverBinary`

In Windows 7 and older versions, **Amcache** was named **RecentFileCache** and was located at:  **`C:\Windows\AppCompat\Programs\recentfilecache.bcf`**

#### Difference Between Amcache and Shimcache

{% hint style="warning" %}
**Amcache** is considered more reliable evidence of execution compared to **Shimcache**. It stores additional data, such as the first execution timestamp, deletion timestamp (if the file was deleted), hash values of executables, and the application publisher name.
{% endhint %}

<details>

<summary>Tool</summary>

AmcacheParser

Timeline Explorer

</details>

### Recent Files

This feature in Windows allows users to access their recently used applications.

:unlock: Shortcut Location: `%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent`

:lock: Location: `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`

{% hint style="warning" %}
The mentioned key stores information about opened files/applications, shortcut files, and the last accessed time. It’s important to note that this artifact tracks all files opened or modified, classifying it as evidence of access rather than execution. If a file is modified or renamed via the command line, it will be recorded in this registry key, even though the file wasn't executed, but simply modified.
{% endhint %}

:thumbsup: Filter on extension: `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\{.extension}`

<details>

<summary>Tool</summary>

Registry Explore

</details>

### Dialogue Boxes MRU

A **"Dialog Box MRU"** *(Most Recently Used)* artifact records the file names, timestamps, and paths accessed or selected in a dialog box within a Microsoft Windows operating system. When a dialog box is opened, such as during a file upload, it displays a file explorer to select files. This artifact provides valuable insights into the user's recent activity, including files and folders accessed or modified, and their file paths.

:lock: Location: `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMR` and `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU`

#### OpenSavePidlMRU

Whenever a file is opened, loaded, or saved through another application, a file explorer window prompts us to select the desired file. The file path of the opened, loaded, or saved file is stored in this key.&#x20;

{% hint style="warning" %}
An important subkey under the **OpenSavePidlMRU** key is the "**\***" key. This subkey stores the most recent 10 entries from the **Dialog Box MRU**, tracking the last 10 file paths accessed or selected in dialog boxes.
{% endhint %}

#### LastVisitedPidlMRU

This key is a supporting artifact to the **OpenSavePidlMRU** key. It tracks the application executable responsible for opening or saving a file from the Windows Explorer prompt. Unlike the **OpenSavePidlMRU**, which stores the file path and name, this key stores the executable used to open/save the file, along with the path of the folder from where the file was accessed or saved.

<details>

<summary>Tool</summary>

Timeline Explorer

</details>

***

{% hint style="success" %}
This knowledge has been compiled from resources provided by [LetsDefend](https://letsdefend.io/).
{% endhint %}

#### More details about registry:

<https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/index.html>

#### A cheat sheet from [13cubed](https://training.13cubed.com/downloads):

{% file src="/files/uWNwK43od18OcrWKkKPO" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://walterdrake.gitbook.io/mysite/windows-forensics-analysis/registry.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.