The Windows Registry is a centralized hierarchical database that contains both system and user information and settings for Windows computers. These settings can be anything from a user’s desktop background to the time zone setting for the computer.
To some, examining the Registry is a daunting task making even the most experienced examiners shake with despair. But it really does not need to be that way. In this post we are going to demystify what all the various sections of the Registry mean. BlackLight automatically parses out a lot of information that is derived from the Registry so understanding how the Registry is structured is important to successfully articulate the evidence that is being presented.
The Registry itself is structured in a tree format similar to what you would expect when viewing files in Windows Explorer. Each entry in the tree is called a key; and each key can have one or more subkeys and values.
The Registry is a logical representation of seven physical files that are contained in the Windows volume. These seven physical files are:
Plus two files for each user account:
- NTUser.dat - Located: C:\Users\%Username%\
- UsrClass.dat - Located: C:\Users\%Username%\AppData\Local\Microsoft\Windows
The Registry displays the data gathered from the seven physical files in hives that are normally prepended with HKEY (Handle Key), and are referred to individually as keys. Examiners may be used to seeing HKLM (HKEY_LOCAL_MACHINE) during their examinations.
Here are the Registry hives:
- HKEY_CLASSES_ROOT (HKCR)
- HKEY_CURRENT_USER (HKCU)
- HKEY_LOCAL_MACHINE (HKLM)
- HKEY_USERS (HKU)
- HKEY_CUREENT_CONFIG (HKCC)
The hive keys store the data virtually, and the actual data is stored in the seven physical files listed above. Of the five hives shown, two hives receive their data directly from the seven physical files and are referred to as master keys. The master keys are:
The remaining three hives link their data to keys found in the two master keys.
Figure 1: View of registry hives in BlackLight
BlackLight simplifies the Registry view showing exactly from where the data is parsed.
- HKEY_USERS: Contains user settings for each user that has logged into the computer.
- HKEY_LOCAL_MACHINE: Contains information pertaining to the configuration of the local machine, and is generated at start-up. This includes computer settings and functions for all users on the system.
- HKEY_CLASSES_ROOT: Tracks file types and associated applications as well as registering classes for COM objects.
- HKEY_CURRENT_USER: Tracks settings and information pertaining to the logged in user.
- HKEY_CURRENT_CONFIG: Tracks the current hardware configuration profile.
What lies beyond the hives? Beneath the hives are keys and values.
- Keys: Keys maintain a folder like structure similar to what would normally be found when viewing the contents of a drive in Windows Explorer.
- Values: Values are similar to file names when viewing the contents of a drive in Windows Explorer.
- Data: Data is similar to the data of a file when viewed in Windows Explorer.
Dates and Times
Truly one of the most contentious parts of forensics are dates and times. Nothing changes when it comes to the Registry. Windows Registry dates and times consist of a “Last Write Time”. Essentially this date and time indicates when the Registry key was last modified. These dates and times are saved in FILETIME epoch (the number of 100 nanoseconds since January 01, 1601).
The problem of course is that it may not be necessarily clear when Windows decides to update the Registry key, therefore all that examiners can say is that the date and time is approximate. Lastly, it may not be evident and there may be no way to determine what value within the key was last updated.
Understanding the structure of the Registry is the first step in the analysis of this important Windows artifact.
In part two of the post, we look at some Registry keys to try and understand how tools like BlackLight parse out and display the data. In the meantime, you can view the rest of the Windows Essentials Forensic blog series.