REGISTRY

1
 History of Registry

• The root of Microsoft operating system was MS-DOS, which was a

command line operating system.
• In the DOS age, there was no registry but two files designed to store
the configuration information: “config.sys ” and “ autoexec.bat”.
• “Config.sys” was used to load the device drivers and “autoexec.bat”
was used to store the configurations of running programs and other
environmental variables.
• When the first graphical interface operating system of Microsoft,
Windows 3.0, was released, these two files used in MS-DOS were
replaced by INI files.
• These files were used to store the configuration settings of the
computers.

2
History of Registry …

• In Windows 95, a hierarchical database named Registry was

introduced.
• Although the Registry of Windows 95/98 has the similar structure as
Windows XP/Vista/7, the amount of data in Windows XP/Vista/7 Registry
has grown tremendously.
• The Registry in Windows XP/Vista/7 has a more stable and complex
structure than Windows 98/95/2000. In addition, the structure of
Windows XP registry could be considered as the basis of modern
Windows Registry.
• Although Windows Vista/7 Registry has more content than Windows XP
registry, it has very similar structures, keys, subkeys, and values as
Windows XP registry.

3
 How Registry look like?

FIGURE: HKEY_LOCAL_MACHINE (HKLM)

Root Key and its Subkey 4
How to edit Registry?
• Use Registry Editor (regedit.exe).

5
What is Registry made of?

• The Windows Registry Editor is divided into two panels,

the left one is key panel and the right one is value
panel.
• In the left panel, there are five root keys, (1)
HKEY_CLASSES_ROOT, (2) HKEY_CURRENT_USER,
(3) HKEY_LOCAL_MACHINE,
(4) HKEY_USERS, and (5) HKEY_CURRENT_CONFIG.
6
What is Registry
made of? …
• These root keys form the basic structure of Window
Registry.
• However, this structure is just a logical structure.
• Among these five root keys, only two root keys,
HKEY_LOCAL_MACHINE and HKEY_USERS, have
physical files or hives.
• These two keys are called master keys.
• The other three keys are derived keys since they are derived
from the two master keys and their subkeys, or, they only
offer symbolic links to the two master keys and their subkeys.

7
HKEY_LOCAL_MACHINE (HKLM)
• HKLM is the first master key.
• It contains all of the configuration settings of a computer.
• When a computer startups, the local machine settings will boot before the individual user settings.
• If we double-click this entry in Windows Registry Editor, five subkeys will be listed: HARDWARE,
SAM, SECURITY, SOFTWARE, and SYSTEM.
• The information contained by these subkeys are listed below:
– HARDWARE is used to store the information of hardware devices that a computer detects
when the computer starts up. So, the subkeys in HARDWARE are also created during the
booting process.
– SAM is the abbreviation of Security Account Manager which is a local security database.
Subkeys in SAM contain the setting data of users and work groups.
– SECURITY includes a local security database in SAM and a strict ACL is used to manage the
users who could access the database.
– SOFTWARE includes all of the configuration settings of programs. Information on the
programs is stored in a standard format: HKLM\Software\Vendor\Program\Version.
– SYSTEM contains the configuration settings of hardware drivers and services. The key path
is HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX, where XXX is a three digital number
from 000.
8
HKEY_LOCAL_MACHINE (HKLM) …

9
HKEY_USERS (HKU)
• HKU is another master key.
• It contains all of the per-user settings such as current console user and other users who
logged on this computer before.
• Double-click this entry, we can see at least three kinds of subkeys listed: KEFAUTL, SID,
and SID_CLASS.
• SID is security identifier which refers to the current console.
• SID-CLASSES contains per user class registration and file association. Usually, we could see
S-1-5-18, S-1-5-19, and S-1-5-20, which represents Local System Account, Local Service
Account, and Network Service Account respectively.
• Unlike the above two keys, HKEY_CLASSES_ROOT (HKCR), HKEY_CURRENT_USER ( HKCU),
and HKEY_CURRENT_CONFIG (HKCC) are derived keys and they only link to the two
master keys and their subkeys.

10
HKEY_CLASSES_ROOT (HKCR)
• HKCR contains two keys:
– HKLM\SOFTWARE\Classes and
– HKCU\Software\Classes
• The first one refers to the default registration classes, and the second
one refers to per user registration classes and file associations.

11
HKEY_CURRENT_USER (HKCU)
• HKCU links to a subkey of HKU, HKU\SID.
• This key allows all of the Windows programs and applications to create, access, modify,
and store the information of current console user without determining which user is
logging in.
• Under the root key HKCU, there are also five subkeys: (1) Environment, (2) Identities,
(3) Network, (4) Software, and (5) Volatile Environment.
– Environment is about the environmental configurations.
– Identities are related to Outlook Express.
– Network contains settings to connect the mapped network drive.
– Software refers to the user application settings.
– Volatile Environment is used to define the environmental variables according to
different users who logon a computer.

12
HKEY_CURRENT_CONFIG (HKCC)
• HKCC is an image of the hardware configuration profiles.
• HKLM\SYSTEM\Current\ControlSet\Hardware\Current, is also a link to
HKLM\SYSTEM\ControlSet\Hardware Profiles\XXXX, where XXXX is a
four digital number from 0000.

13
REGISTRY
• A database for configuration file for Windows OS.
• The computer’s central nervous system
• Keep track of user and system configuration &
preferences
• Forensic view
– Can provide an abundance of potential evidence
– Many artifacts are kept in registry
• Search terms
• Running or installed program
• Web addresses
• Files that have been recently opened

14
REGISTRY-structure
• A tree structure (like directories)
• Looking at it require a tool that can
translate the info into something
that can be understood
• Major multipurpose forensic tools
– Encase
– FTK

15
 REGISTRY-structure
• Case 1
– Stolen credit card
– Two suspects are arrested after a
controlled drop of merchandise ordered
from the internet
– Examination of the computer NTUSER.
DAT, Registry and protected storage
system provider info found a listing of
multiple other names, addresses, credit
card numbers that being used 16
 REGISTRY-structure
• Case 2
– Police investigate child pornography case projected in a hotel
room. Two hard disk and one laptop. A guy claim his laptop
not been connected to the hard disks that contain
pornography picture
– Examiner wanted to determine whether the guy claim is true
• Whether the hard disks been connected to the laptop
• Search system registry file for entries in the USBStor key
• Listing for the xternal hardisks were found along with the hardware
serial numbers
– Next, to validate, the defendant external drives are connected
with a lab computer system (clean installation of windows)
• a write blocker was connected between the drives and the system to
prevent any changes or modifications
• The lab computer’s system registry file was the examined
– USBStor keys showed the same

17
 REGISTRY-attribute
• DF can be used to answer many questions
– What terms were searched using Google?
– Did Guy A type those terms?
• However we can rarely put someone’s finger on the
keyboard when a particular artifact is created.
– Need to uncover other evidence
• Tracking back to a specific user account or identifying
the registered owner of the system is much easier
– A single PC has multiple user accounts set up
– Each account is assigned a unique number called a
security identity or SID
• Many actions on the computer can be tracked by a
specific SID
• SID can tie an account to some particular action or 18
REGISTRY-External drives
• One way thieves can easily smuggles data out of an
organization is using external storage devices
– External hard disk
– Thumb drives
• The device can be used to
– Steal information
– Store child pornography
• Examiners need to determine whether any such device
has been attached to a computer
– Fortunately, it can be determined by data contained
in the registry
– Registry records this information with a significant
amount of detail
• Tell both the vendor and the serial number 19
What are Hives?
• Hives are the physical files of the two master keys
(HKEY_LOCAL_MACHINE and HKEY_USERS) in
Windows Registry stored on hard drive.
• The tree format we view through Windows Registry
Editor, is a logical structure of the five root keys.
• If we use forensic tools to view the Windows
Registry in an offline environment or view the
Registry remotely, only the two master keys will be
listed.
• So, only the two master keys and their subkeys
have hives. The hives of HKLM’s subkeys are
stored at %SYSTEMROOT%System32\config,
and the hives of HKU’s subkeys are stored at 20
Discuss
• (C1: Knowledge) What is Registry?
• (C1: Knowledge) List the root keys for Windows Registry.
• (C2: Understanding) Explain how to edit Registry.
• (C4: Analysis) Differentiate between Root Keys and Master Keys?
• (C2: Understanding) What are Hives in Registry?

21
Discuss
• (C1: Knowledge) What is Registry?
ANS: A database for configuration file for Windows OS. Keep track of user
and system configuration & preferences.
• (C1: Knowledge) List the root keys for Windows Registry.
– ANS: There are 5: (1) HKEY_CLASSES_ROOT, (2) HKEY_CURRENT_USER,
(3) HKEY_LOCAL_MACHINE,
(4) HKEY_USERS, and (5) HKEY_CURRENT_CONFIG
• (C2: Understanding) Explain how to edit Registry.
– ANS: Use built in registry editor that comes with Windows, called Registry
Editor (regedit.exe).

22
Discuss
• (C4: Analysis) Differentiate between Root Keys and Master Keys?
ANS:
– (a) There are 5 Root Keys (1) HKEY_CLASSES_ROOT (HKCR), (2)
HKEY_CURRENT_USER (HKCU), (3) HKEY_LOCAL_MACHINE (HKLM),
(4) HKEY_USERS (HKU), and (5) HKEY_CURRENT_CONFIG (HKCG).
– (b) Only 2 of them are Master Keys namely HKLM and HKU. The
other three keys are derived keys since they are derived from the two
master keys and their subkeys, or, they only offer symbolic links to the
two master keys and their subkeys.

23
Discuss
• (C2: Understanding) What are Hives in Registry?
ANS:
*Hives are the physical files of the two master keys
(HKEY_LOCAL_MACHINE@HKLM and HKEY_USERS@HKU) in Windows
Registry stored on hard drive.
*The hives of HKLM’s subkeys are
stored at %SYSTEMROOT%\System32\config, and the hives of
HKU’s subkeys are stored at
%USERPFOFILE%.

24
PRINT SPOOLING

25
 PRINT SPOOLING

• In some cases, suspect’s printing activities may be relevant

• If you notice, printing has a delay after the Print is clicked
– This delay indicate a process that called spooling
– Spooling temporarily stores the print job until it can be
printed at a time that is convenient for the printer
– During this procedure, Windows create a pair of
complementary files.
• EMF (Enhanced Meta File) an image of document to be printed
• Spool file contains information about the print job itself

26
PRINT SPOOLING: spool file
• One of each for every print job
• Tell things like
– (a) Printer name, (b) Computer name, (c) User account that
sent the job
• However, they are not stored permanently in the hard disk
– They are normally deleted automatically after the print job
is finished
– However, there are exception
• If occur some kind of problem & the document did not print
• The computer that is initiating the print job may be set up to retain a copy
– Spool & EMF can be used to directly connect targets to
their crimes
• Extortion letters
• Forged contract
• Stolen client list
• Maps to body dump sites
27
Discuss
• (C3: Application) Demonstrate how print spooling can
be used as evidence in a crime.

28
Discuss
• (C3: Application) Demonstrate how print spooling can be used as
evidence in a crime?
ANS: When some kind of problem & the document did not print, the
computer that is initiating the print job may be set up to retain a
copy. Spool & EMF can be used to directly connect targets to their
crimes e.g. (1) Extortion letters, (2) Forged contract, (3) Stolen client list,
(4) Maps to body dump sites.

29