Registry

Windows Registry: Revision Notes

General Structure

• Registry Editor Access: Type regedit in the run window.

• Left Pane (Key Pane): Contains organized folders called hives.

• Hives: Begin with 'HKEY'; five hives visible, only two are 'real': HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM).

• Keys and Values: Keys contain values and subkeys, similar to folders and files in Windows Explorer.

• Right Pane: Shows values of selected keys, similar to files in a folder.

Root Keys (Hives)

1. HKEY_CLASSES_ROOT (HKCR)

• Ensures correct program opens in Windows Explorer.

• Contains drag-and-drop rules, shortcuts, user interface info.

• Alias for: HKLM\Software\Classes.

1. HKEY_CURRENT_USER (HKCU)

• Configuration info for the currently logged-in user.

• Contains user folders, screen colors, Control Panel settings.

• Alias for a user-specific branch in HKEY_USERS.

1. HKEY_LOCAL_MACHINE (HKLM)

• Hardware-specific info for the OS.

• Lists mounted drives, hardware, and application configurations.

1. HKEY_USERS (HKU)

• Configuration info for all user profiles on the system.

• Includes application configurations, visual settings.

1. HKEY_CURRENT_CONFIG (HCU)

• Stores current system configuration info.

• Alias for: HKLM\Config\profile.

Key Components and Functions

• LastWrite Time: Similar to file modification time, stored as a FILETIME structure.

• Indicates when a key was last modified, created, accessed, or deleted.

• Can be retrieved using tools like Keytime.exe.

Autorun Locations

• Registry Keys for Autorun Programs:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

• (ProfilePath)\Start Menu\Programs\Startup

MRU (Most Recently Used) Lists

• Function: Maintains lists of items accessed by the user.

• Example: RunMRU key for commands entered in the 'Run' box.

• Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU.

UserAssist Key

• Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.

• Function: Records accessed objects, such as Control Panel applets, shortcut files.

• Encoding: Uses ROT-13 encryption.

• Decoding: Online ROT-13 decoder (e.g., http://www.edoceo.com/utilis/rot13.php).

Wireless Network Information

• SSID Logging: Logged under HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces.

• Contains SSIDs, network settings, IP addresses, DHCP domains.

• Network connection details stored in HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces.

Network Mapping (My Network Place)

• Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions.

• Function: Stores list of devices on a LAN.

USB Device Information

• Registry Key: HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR.

• Function: Stores product and device ID values of USB devices.

• Device ID: Includes serial numbers for identifying devices across systems.

Summary

• Registry Structure: Organized into hives, keys, and values.

• Root Keys: HKCR, HKCU, HKLM, HKU, HCU.

• Key Functions: Autorun locations, MRU lists, UserAssist keys, wireless network info, network mapping, USB device info.

• Forensic Use: LastWrite times, autorun program locations, MRU lists, UserAssist records, SSID logging, network mapping, USB device tracking.

Windows Registry Overview

The Windows Registry is a hierarchical database used by the Microsoft Windows operating system and applications that opt to use it. It stores settings and options for the OS, hardware, user preferences, and application configurations.

Key Components and Usage

• Kernel, Device Drivers, Services, SAM: The registry is crucial for the kernel, device drivers, services, and the Security Accounts Manager.

• Performance Profiling: The registry also includes counters for system performance profiling.

Historical Context

• Windows 3.1: Initially used for COM-based components.

• Windows 95/NT: Expanded to centralize configuration information from numerous INI files.

Registry Structure

• Hierarchical Database: Organized in a tree structure with nodes called keys, which can have subkeys and values.

• Keys and Values: Keys can contain multiple values and subkeys, with each key and value having specific names and types.

Registry Data Types

• REG_BINARY: Binary data.

• REG_DWORD: 32-bit number.

• REG_QWORD: 64-bit number.

• REG_SZ: Null-terminated string.

• REG_MULTI_SZ: Array of null-terminated strings.

• REG_EXPAND_SZ: String with unexpanded environment variables.

• REG_LINK: Unicode symbolic link.

• REG_NONE: No defined value type.

• REG_RESOURCE_LIST: Device-driver resource list.

Main Registry Hives

1. HKEY_CLASSES_ROOT (HKCR): Information for COM objects and file associations.

2. HKEY_CURRENT_USER (HKCU): Configuration for the currently logged-in user.

3. HKEY_LOCAL_MACHINE (HKLM): Machine-specific settings.

4. HKEY_USERS (HKU): Configuration for all user profiles.

5. HKEY_CURRENT_CONFIG (HKCC): Current hardware profile.

Accessing and Editing the Registry

• Registry Editor (regedit): Graphical tool for browsing and editing the registry.

• Command-Line Utility (reg.exe): Command-line tool for managing the registry, allowing automation through scripts.

Troubleshooting and Common Issues

• Registry Corruption: Often occurs during shutdown, leading to issues at the next startup.

• Software and Driver Uninstallation: Incomplete uninstallation can leave behind remnants that cause conflicts.

Services and Applications

• Windows Services: Managed under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Each service has a subkey with specific parameters.

• Application Settings: Typically found under HKCU\Software for per-user settings and HKLM\Software for per-computer settings.

User Accounts

• SAM Hive: Contains information about local user accounts. Tools like pwdump7 and John the Ripper (JTR) can be used to extract and crack password hashes.

Service Control Manager (SCM)

• Database: Maintains information about installed services and drivers. Configurations are stored in the registry.

Windows Management Instrumentation (WMI)

• Winmgmt Service: The core service for WMI, running within the SVCHOST process.

• Registry Provider: Allows scripts and applications to automate tasks by interacting with the registry.

Group Policy

• Registry Settings: Enforced through Group Policy, affecting multiple users and computers in a domain.

• Policy Application: Information about applied Group Policy Objects (GPOs) is written to the registry.

Command-Line Utility (reg.exe) Subcommands

• add: Adds a new subkey or entry.

• delete: Removes a subkey or entry.

• query: Displays data from a subkey or value.

• compare: Compares registry subkeys or entries.

• copy: Copies a subkey to another location.

• save: Saves subkeys, entries, and values in hive format.

• restore: Restores from a saved hive file.

• load/unload: Manages sections of the registry.

• export/import: Exports or imports registry keys to/from a file.

• flags: Manages flags in registry keys (available in Windows Vista and later).