Windows
Notes
Registry
The Windows Registry is a collection of databases that contains the system's configuration data.
A Registry Hive is a group of Keys, subkeys, and values stored in a single file on the disk.
The registry on any Windows system contains the following five root keys:
HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is currently logged on.
HKEY_USERS: Contains all the actively loaded user profiles on the computer.
HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any user).
HKEY_CLASSES_ROOT: The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.
HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the local computer at system startup.
The majority of the hives are located in the
C:\Windows\System32\Config
directory and are:DEFAULT
(mounted on HKEY_USERS\DEFAULT)SAM
(mounted on HKEY_LOCAL_MACHINE\SAM)SECURITY
(mounted on HKEY_LOCAL_MACHINE\Security)SOFTWARE
(mounted on HKEY_LOCAL_MACHINE\Software)SYSTEM
(mounted on HKEY_LOCAL_MACHINE\System)
The other hives that contain user information are located in:
C:\Users<username>\NTUSER.DAT
(mounted on HKEY_CURRENT_USER when a user logs in)C:\Users<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT
(mounted on HKEY_CURRENT_USER\Software\CLASSES)
Another very important hive is called the AmCache hive, which is located in
C:\Windows\AppCompat\Programs\Amcache.hve
and contains information on programs that were recently run on the system.The transaction logs can be considered as the journal of the changelog of the registry hive, which means that the transaction logs can often have the latest changes in the registry that haven't made their way to the registry hives themselves. The transaction log for each hive is stored as a .LOG file in the same directory as the hive itself. It has the same name as the registry hive, but the extension is .LOG.
Registry backups are the opposite of Transaction logs. These are the backups of the registry hives located in the
C:\Windows\System32\Config directory
. These hives are copied to theC:\Windows\System32\Config\RegBack
directory every ten days.
Useful registry keys
NTUSER.DAT\Software\Microsoft\Office\VERSION
- Office recent filesNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
- Recent filesSAM\Domains\Account\Users
- UsersSOFTWARE\Microsoft\Windows\CurrentVersion\Run
- AutorunsSOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- AutorunsSOFTWARE\Microsoft\Windows NT\CurrentVersion
- OS versionSOFTWARE\Microsoft\Windows Portable Devices\Devices
- USB device volume namesSYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
- Computer nameSYSTEM\CurrentControlSet\Enum\USB
- USB devices informationSYSTEM\CurrentControlSet\Enum\USBSTOR
- USB devices informationSYSTEM\CurrentControlSet\Control\TimeZoneInformation
- Time zone informationSYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
- Network interfaces
Resources
Articles
GitHub Repositories
Tools
TryHackMe Rooms
Websites
Windows Virtual Machines
Last updated
Was this helpful?