The Windows Registry is one of the richest and most important sources of evidence in Windows forensics. It is a hierarchical database that stores configuration settings for the operating system, installed applications, hardware devices, user activity, and system behavior. Because Windows uses the registry constantly, it contains traces of user actions, software installations, device connections, network activity, and malware execution—making it invaluable for forensic investigations.
This chapter explains the structure of the registry, key forensic hives, the types of evidence they store, and the techniques used to analyze them.
What Is the Windows Registry?
The Windows Registry is a central database that stores system and user configuration information. Instead of using multiple configuration files scattered around the disk, Windows consolidates them into registry “hives.”
The registry tracks changes continuously, meaning it keeps historical and recent data that helps investigators reconstruct user activity and system events.
Registry Structure
The registry is organized into keys, subkeys, and values, similar to folders and files.
Top-level branches include:
-
HKEY_LOCAL_MACHINE (HKLM)
-
HKEY_CURRENT_USER (HKCU)
-
HKEY_CLASSES_ROOT (HKCR)
-
HKEY_USERS (HKU)
-
HKEY_CURRENT_CONFIG (HKCC)
For forensics, these branches point to physical hive files stored on disk.
Registry Hive Files
Registry hives are stored as separate files on the system. Different hives contain different types of evidence.
System-Wide Hives (stored in C:\Windows\System32\Config)
-
SYSTEM – boot info, hardware, USB devices, services
-
SOFTWARE – installed software, programs run, product keys
-
SAM – user accounts and password hashes
-
SECURITY – policies, access control
-
DEFAULT – default profile template
User-Specific Hives (stored in user profile)
-
NTUSER.DAT – user activity, recent files, app usage
-
USRCLASS.DAT – shell activities, file associations
These files are loaded into registry memory at login and saved back at shutdown.
Forensic Value of Registry Keys
The registry contains thousands of keys, but some are especially important for investigations.
1. User Activity and Recent Files
Located in NTUSER.DAT:
-
RecentDocs
-
RunMRU (commands executed)
-
OpenSaveMRU (files opened/saved)
-
TypedPaths (File Explorer input history)
These keys reveal what files the user interacted with.
2. Program Execution
Windows records details of program execution in multiple locations:
-
ShimCache (AppCompatCache)
-
UserAssist (rot13 encoded list of programs run)
-
MUICache
-
Prefetch folder (not a registry key but related)
These artifacts show which programs were executed and when.
3. USB Device History
Stored in SYSTEM and SOFTWARE hives:
-
USB connections
-
Device serial numbers
-
Assigned drive letters
-
First and last connection time
This is crucial in cases involving external data transfers.
4. Network and Wi-Fi Evidence
Windows stores:
-
Known Wi-Fi networks
-
Last connected timestamps
-
Network interfaces
-
DHCP configuration
-
Recent RDP connections
These help identify remote access or network usage.
5. Installed Applications and Persistence
Registry reveals:
-
Installed programs
-
Startup programs (autoruns)
-
Scheduled tasks
-
Services
-
Browser extensions
Malware often creates persistence through registry autorun keys.
6. Time and Localization
Registry hives store:
-
Timezone settings
-
System uptime
-
Last shutdown time
-
BootCount logs
These details help build accurate timelines.
Important Forensic Registry Keys
Some commonly used keys include:
Program Execution
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
USB Device Forensics
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKLM\SYSTEM\MountedDevices
Persistence Mechanisms
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Recent File Access
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Network Evidence
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList
Tools for Registry Analysis
Registry analysis is typically performed offline from copied hive files. Popular tools include:
-
Registry Explorer
-
RegRipper
-
FTK Imager
-
Autopsy
-
Eric Zimmerman's tools
-
EnCase
-
X-Ways
These tools parse complex keys and display human-readable outputs.
Techniques for Effective Registry Forensics
1. Compare Multiple Hives
Cross-check NTUSER.DAT with SYSTEM and SOFTWARE to correlate user activity with system-wide events.
2. Focus on Timestamps
Registry keys have last write timestamps that help build timelines.
3. Analyze UserAssist and ShimCache
These provide reliable evidence of program execution even if logs are cleared.
4. Extract USB Artifacts
USB forensics often reveals data transfer or device usage.
5. Look for Persistence Keys
Malware often hides in autorun, services, and scheduled tasks.
6. Use Automated Tools
RegRipper plugins extract artifacts quickly and consistently.
What Registry Forensics Can Reveal
Investigators can answer:
-
What applications were run?
-
What files were accessed?
-
Which USB devices were connected?
-
Was malware installed?
-
When was a system powered on or off?
-
Which networks did the computer connect to?
-
Was data exfiltration attempted?
The registry can confirm or disprove user claims and reconstruct a detailed timeline.
Summary
Registry forensics is a crucial part of Windows investigations. The Windows Registry stores extensive system and user metadata that reveals program execution, file access, USB device history, network connections, and persistence mechanisms. By understanding hive structures, key locations, timestamps, and forensic tools, investigators can extract valuable evidence that plays a major role in reconstructing activities on a Windows machine.