Windows Registry Forensics

// Registry Structure

The Windows Registry is a hierarchical database storing system and user configuration. It is one of the most important forensic artefacts on a Windows system � attackers write persistence entries, malware stores configuration data, and Windows tracks user activity all in the registry.

The registry is organised into five root keys (hives), each serving a distinct purpose:

Root Key	Abbreviation	Purpose
`HKEY_LOCAL_MACHINE`	HKLM	System-wide settings � hardware, installed software, services, security policy
`HKEY_CURRENT_USER`	HKCU	Settings for the currently logged-on user (mapped from HKU\SID)
`HKEY_USERS`	HKU	All loaded user profiles � each user's SID has a subkey
`HKEY_CLASSES_ROOT`	HKCR	File associations and COM registration (merged view of HKLM and HKCU)
`HKEY_CURRENT_CONFIG`	HKCC	Hardware profile used at startup � volatile, not persistent on disk

// Hive Files on Disk

Registry hives are stored as binary files on disk and can be parsed offline from a forensic image using tools like RegRipper, Registry Explorer, or Autopsy.

Hive	File Path	Maps To
SYSTEM	`C:\Windows\System32\config\SYSTEM`	HKLM\SYSTEM
SOFTWARE	`C:\Windows\System32\config\SOFTWARE`	HKLM\SOFTWARE
SECURITY	`C:\Windows\System32\config\SECURITY`	HKLM\SECURITY
SAM	`C:\Windows\System32\config\SAM`	HKLM\SAM (local accounts)
NTUSER.DAT	`C:\Users\<username>\NTUSER.DAT`	HKCU (per-user settings)
UsrClass.dat	`C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat`	HKCU\Software\Classes
Amcache.hve	`C:\Windows\AppCompat\Programs\Amcache.hve`	Program execution history

Registry hives on a live system are locked by the OS. Use Volume Shadow Copies, a forensic image, or tools like reg save to export them for offline analysis without live system interference.

// Persistence Locations

These are the registry keys most commonly abused by attackers and malware to maintain persistence across reboots. Check all of them during an investigation.

Run Keys (execute on login)

                        # Execute for all users at login

                        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

                        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

                        # Execute for current user at login

                        HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

                        HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

                        # 32-bit apps on 64-bit systems

                        HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

Services

                        # All installed services � look for unusual ImagePath values

                        HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>

                        # Start type: 0=Boot, 1=System, 2=Auto, 3=Manual, 4=Disabled

                        HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\Start

Scheduled Tasks (registry-based)

                        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

                        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Other persistence locations

Technique	Registry Path
Boot Execute	`HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute`
Winlogon	`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`
AppInit DLLs	`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs`
Image File Execution Options	`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`
COM Hijacking	`HKCU\Software\Classes\CLSID\<GUID>\InprocServer32`
Active Setup	`HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\`
LSA Packages	`HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages`

// Forensic Artefacts

Artefact	Registry Path	What It Shows
Installed Software	`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\`	Applications installed on the system with timestamps
USB Devices	`HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\`	All USB storage devices ever connected � serial numbers, timestamps
Network Interfaces	`HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\`	Historical IP addresses, DHCP info per NIC
Timezone	`HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation`	System timezone � essential for log timestamp correlation
Last Shutdown	`HKLM\SYSTEM\CurrentControlSet\Control\Windows\ShutdownTime`	Last shutdown time as a Windows FILETIME value
Recent Documents	`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`	Files recently opened by the user
Shellbags	`HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\`	Folders the user has browsed � persists even if folder is deleted
UserAssist	`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\`	GUI applications launched by the user (ROT13 encoded)
Typed URLs	`HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs`	URLs typed directly into IE/Edge address bar

// User Activity

The registry tracks extensive user activity that can establish a timeline of actions on an endpoint.

                        # Last logged-on user

                        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser

                        # All local accounts and last logon

                        HKLM\SAM\SAM\Domains\Account\Users\

                        # MRU (Most Recently Used) lists � Office documents

                        HKCU\SOFTWARE\Microsoft\Office\16.0\Word\File MRU\

                        # Run dialog history

                        HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

                        # Wireless networks connected to

                        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

// Tools

Tool	Use Case
Registry Explorer (Eric Zimmermann)	GUI hive viewer with built-in bookmarks for forensic locations. Best for offline analysis.
RegRipper	Plugin-based registry parser � produces a timeline of forensic artefacts from hive files.
Autopsy	Includes registry plugins that extract Run keys, USB history, and user artefacts automatically.
regedit.exe	Built-in live registry editor � use on a live system, not for forensic imaging.
reg.exe	Command-line registry tool � useful for exporting hives (`reg save`) and querying values.
Shellbags Explorer (EZ Tools)	Dedicated parser for shellbag artefacts � shows folder browsing history with timestamps.
AmcacheParser (EZ Tools)	Parses Amcache.hve to extract program execution history and file metadata.

// Investigation Commands

Query Run keys from a live system (PowerShell)

                        # List all HKLM Run entries

                        Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

                        # List all HKCU Run entries

                        Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

                        # List all services with Auto start and their executable paths

                        Get-CimInstance Win32_Service | Where-Object {$_.StartMode -eq "Auto"} | Select-Object Name, PathName, State

Export hive for offline analysis

                        # Export NTUSER.DAT from a live system (requires admin)

                        reg save HKCU C:\forensics\NTUSER.DAT

                        # Export SYSTEM hive

                        reg save HKLM\SYSTEM C:\forensics\SYSTEM

Always check Amcache.hve alongside persistence keys. Amcache records the hash and path of executables that have been run, even if the malware has since been deleted � invaluable for establishing execution history.