Windows Registry Demystified - Part Two

In our last blog we laid the foundations of what the Registry is, and how it is structured.  In this blog we are going to expand on those concepts and start looking at some Registry to see how tools parse out and display this data.

BlackLight Automatic Display Of Registry Items

BlackLight parses out many Registry artifacts and displays the results in various areas.

BlackLight parsed Registry data Figure 1: BlackLight showing automatically parsed Registry data

BlackLight displays information about the operating system including the version of Windows and the installation date.

Windows Registry parsed by BlackLightFigure 2: View of Windows Registry showing information parsed by BlackLight

Looking at the Registry under System ➔ Registry ➔ All - navigate to HKLM ➔ Software ➔ Microsoft ➔ WindowsNT ➔ CurrentVersion.  This Registry key contains all the information displayed by BlackLight in this view.

  • InstallDate:  1434109671 is a UNIX epoch
  • ProductName: The version of Windows installed on this computer (Windows 7 Professional)
  • CSDVersion: Contains the version of current operating system (Service Pack 1)

We can further see that josh is the registered owner of this licenced copy of Windows.  It should be noted that this value may be blank. On some versions of Windows, users are not prompted to add this information.

Actionable Intelligence

Several areas of the Registry are parsed out and displayed automatically in Actionable Intelligence:

Last Executed- From \%USERPROFILE%\NTUSER.dat it tracks the specific executable used by an application to open files documented in the OpenSavePidMRU key.


Registry view of Last ExecutedFigure 3: Registry view showing Last Executed applications 

User Assist- This artifact tracks GUI-based programs that are launched from the desktop and includes when the program was last launched, how many times the program was launched and lastly whether the program was launched from an link (LNK) or an executable (.exe). On a live computer this information is encoded in ROT-13 which is a way of obfuscating the data; most Registry tools including BlackLight will interpret this data.

Two GUIDs are shown in this key they represent how the program was launched:

  • CEFFF5C… represents accessing the program from an executable
  • F4E57C4… represents accessing the program from a shortcut or link file

Selecting the Count value will display another list of GUIDs and program names.  The GUIDs represent the location for the UserAssist.

Registry view of User AssistFigure 4: Registry view of showing UserAssist

A complete list of these locations can be found here.

Device Connections- We have discussed this in a previous blog.

Several Registry keys are used to create a complete picture of the connected devices.

Recent Items- This area of Actionable Intelligence tracks files and folders opened and used by a user and is derived from: \%Username%\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\ 

Registry view of Recent DocumentsFigure 5: Registry view of Recent Documents

This particular Registry key has several values that represent the extension of the file types opened.  For example, Microsoft Word documents are saved under the value .doc.  Generally speaking in this Registry key the most recent document is listed first and the oldest document  last.

We can see an example of the Last Write Time created for each Registry value in this key (discussed in part one of this blog).  The dates shown in the Last Write Time reflect the date and time the Registry value was last updated.  Although this does not necessarily correlate to date and time the most recent document was opened, it can be used to approximate when the most recent document was opened but no more.

Account Usage- This tracks user account information that exists on the system and comes from the SAM file at the following location: HKLM\SAM\SAM\Domains\Account\Users\config\Users

User account information from RegistryFigure 6: User account information from Registry

Information found in this Registry key includes the user name, user SID, user password hint, last login date, last password change date, and any failed login date.

Once again the Registry is a gold mine of data.  By following these examples, examiners can gain the experience needed to fully understand the workings of the Registry. Learn more on Windows forensics by attending our free webinar on Advanced Windows Artifacts.

Leave a Reply

Sorry, you must be logged in to post a comment.