TECHNICAL SPECIFICATION

Windows Registry
A complete guide to examining the Windows Registry

June 2020
Contents

The Registry 3

Structure 3

Hive Description 4

Beyond Hives 4

Dates and Times 5

BlackLight Automatic Display of Registry Items 5

Actionable Intelligence: 6

Using the Registry in Investigations 8

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
The Registry

The Windows Registry is a centralized hierarchical database that contains both system and user information and
settings for Windows computers. These settings can be anything from a user’s desktop background to the time zone
setting for the computer.

To some, examining the Registry is a daunting task making even the most experienced examiners shake with despair.
But it does not need to be that way. In this entry, we are going to demystify what all the various sections of the Registry
mean. BlackLight automatically parses out a lot of information that is derived from the Registry so understanding how
the Registry is structured is important to successfully articulate the evidence presented.

Structure

The Registry itself is structured in a tree format similar to what you would expect when viewing files in Windows Explorer.
Each entry in the tree is called a key; and each key can have one or more subkeys and values.

The Registry is a logical representation of seven physical files that are contained in the Windows volume. Five of the
seven files are system related:

• System
• Software
• Security Located: C:\Windows\System32\Config
• Sam
• Components

Plus two additional files for each user account:

• NTUser.dat Located: C:\Users\%Username%\

• UsrClass.dat Located: C:\Users\%Username%\AppData\Local\Microsoft\Windows

The Registry displays the data gathered from the seven physical files in hives that are normally prepended with
HKEY (Handle Key), and are referred to individually as keys. Examiners may be used to seeing HKLM (HKEY_LOCAL_
MACHINE) during their examinations.

Here are the Registry hives:

• HKEY_CLASSES_ROOT (HKCR)
• HKEY_CURRENT_USER (HKCU)
• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_USERS (HKU)
• HKEY_CUREENT_CONFIG (HKCC)
• HKEY_USERS
• HKEY_LOCAL_MACHINE

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
The hive keys store the data virtually and the actual data is stored in the seven physical files listed above. Of the five
hives shown, two hives receive their data directly from the seven physical files and are referred to as master keys. The
master keys are:

• HKEY_USERS
• HKEY_LOCAL_MACHINE
The remaining three hives link their data to keys found in the two master keys.

Figure one: View of registry hives in BlackLight.

BlackLight simplifies the Registry view showing exactly from where the data is parsed.

Hive Description

HKEY_USERS: Contains user settings for each user that has logged into the computer.

HKEY_LOCAL_MACHINE: Contains information pertaining to the configuration of the local machine, and is generated
at start-up. This includes computer settings and functions for all users on the system.

HKEY_CLASSES_ROOT: This key tracks file types and associated applications as well as registering classes for COM
objects.

HKEY_CURRENT_USER: This key tracks settings and information pertaining to the logged in user.

HKEY_CURRENT_CONFIG: Tracks the current hardware configuration profile.

Beyond Hives

What lies beyond the hives? Beneath the hives are keys and values.

Keys: Keys maintain a folder like structure similar to what would normally be found when viewing the contents of a drive
in Windows Explorer.

Values: Are similar to file names when viewing the contents of a drive in Windows Explorer.

Data: Data is similar to the data of a file when viewed in Windows Explorer.

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
Dates and Times

One of the most contentious parts of forensics are dates and times. Nothing changes when it comes to the Registry.

Windows Registry dates and times consist of a “Last Write Time”. Essentially this date and time indicates when the
Registry key was last modified. These dates and times are saved in FILETIME epoch (the number of 100 nanoseconds
since January 01, 1601).

The problem is that it may not be necessarily clear when Windows decides to update the Registry key, therefore all that
examiners can say is that the date and time are approximate. Lastly, it may not be evident and there may be no way to
determine what value within the key was last updated. So, the rule of thumb is only use Registry dates and times as a
guide. Understanding the structure of the Registry is the first step in the analysis of this important Windows artifact. Next
time we will look at some Registry keys to try and understand how tools like BlackLight parse out and display the data.

Cellebrite BlackLight Automatic Display of Registry Items

Cellebrite BlackLight parses out many Registry artifacts and displays the results in various areas.

Figure Two: BlackLight showing automatically parsed Registry data.

Cellebrite BlackLight displays information about the operating system including the version of Windows and the
installation date.

Figure Three: View of Windows Registry showing information parsed by BlackLight.

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
Looking at the Registry under System ➔Registry ➔ All, navigate to HKLM ➔ Software ➔ Microsoft ➔ WindowsNT ➔
CurrentVersion. This Registry key contains all the information displayed by BlackLight in this view.

Specifications

Install Date 1434109671 is a UNIX epoch

Product Name The version of Windows installed on this computer (Windows 7 Professional)

CSD Version Contains the version of current operating system (Service Pack 1)

We can further see that josh is registered owner of this licensed copy of Windows. It should be noted that this value may
be blank. On some versions of Windows users are not prompted to add this information.

Actionable Intelligence:

Several areas of the Registry are parsed out and displayed automatically in the Actionable Intel view:

Last Executed: From \%USERPROFILE%\NTUSER.dat and tracks the specific executable used by an application to
open files documented in the OpenSavePidMRU key. HKU\NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32\LastVisitedPi dMRU

Figure Four: Registry view showing Last Executed applications

User Assist: This artifact tracks GUI-based programs that are launched from the desktop and includes when the program
was last launched, how many times the program was launched, and whether the program was launched from a link
(LNK) or an executable (.exe). On a live computer, this information is encoded in ROT-13 which is a way of obfuscating
the data. Most Registry tools, including BlackLight, will interpret this data.

Two GUIDs are shown in this key that represent how the program was launched:

• CEFFF5C… represents accessing the program from an executable

• F4E57C4… represents accessing the program from a shortcut or link file
Selecting the Count value will display another list of GUIDs and program names. The GUIDs represent the location for
the UserAssist.

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
Figure Five: Registry view of showing UserAssist.

A complete list of these locations can be found here:

https://msdn.microsoft.com/en-us/ library/bb882665(v=vs.110).aspx#List%20of%20GUIDs

Device Connections: We have discussed this in a previous blog,

https:// www.blackbagtech.com/blog/2017/02/14/analyzing-usb-entries-in-windows-7/

Several Registry keys are used to create a complete picture of the connected devices.

File Knowledge-Recent Items: This area of Actionable Intelligence tracks files and folders opened and used by a user
and is derived from: \%Username%\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\

Figure Six: Registry view of Recent Documents.

This particular Registry key has several values that represent the extension of the file types opened. For example, Microsoft
Word documents are saved under the value .doc. Generally speaking, in this Registry key, the most recent document is
listed first and the oldest document last.

We can see an example of the Last Write Time created for each Registry value in this key. The dates shown in the Last
Write Time reflect the date and time the Registry value was last updated. Although this does not necessarily correlate to
date and time the most recent document was opened, it can be used to approximate when the most recent document
was opened, but no more.

Account Usage: This tracks user account information that exists on the system and comes from the SAM file at the
following location: HKLM\SAM\SAM\Domains\Account\Users\config\Users

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
Figure Seven: User account information from Registry.

Information found in this Registry key includes the username, user SID, user password hint, last login date, last password
change date, and any failed login date.

Using the Registry in Investigations

We have seen how the Registry works and what forensic tools can automatically show; but how do we leverage the
Registry to assist in investigations? Artifacts found in the Registry can show that the user has been using applications. Is
the user a power user, customizing the application with preferences? Or, is this a novice user happy to get the application
up and running?

Of course, knowing how the user has set up an application requires testing on the part of the examiner. The knowledge
you will gain from taking a clean install of the software on a computer is invaluable to the learning process. It helps you
understand how the software works and allows you to articulate how a user’s changes to the software are reflected in
the many artifacts found on the computer.

Let’s take a look at a few applications found on this Windows computer.

Turning on a setting changes values contained within the Registry. Like a light switch, Registry values are recorded
commonly in either an on or off position.

If a user downloads and begins using iCloud Photos on a Windows computer, they are asked whether they want to use
iCloud Photo Library, Photo Stream, and whether they want the ability to Share Pictures.

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
Figure Eight: Photos settings on Windows 10.

By clicking the check box beside each setting, a user enables the setting. Turning on a setting allows a user to choose
a path where the results of the setting are accessed by the program. These choices are reflected within the Registry.

Figure Nine: Registry view of iCloud Photos settings.

There are some important Registry settings found here.

Enabled 1. Here is the classic off/on switch like most settings on = 1, off = 0. From this setting, we know that the user
has Photos turned on.

As we continue, we find that Downloads Uploads are enabled both showing the corresponding paths where the pictures
will be accessed.

There is a path shown for Sharing. When looking at the screenshot of iCloud Photo settings, if you see this setting is off,
then the path should be greyed out. Here is where testing comes in. Has the user turned on Sharing? Is it on by default?
Is there a value that tells us for sure that Sharing is turned on?

Never assume that because a value exists, it means that a setting has been turned on or off. Sometimes values exist in
the Registry because that is the default value and it resides regardless of status of the setting.

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
In this instance, turning Sharing off does not make a change to the Registry. You may want to research as to whether
this just means it was once on by performing a clean install of the software.

These Registry values may provide insight into the user’s computer habits.

Now let’s look at the sharing application Shareaza. Those of you who investigate Child Exploitation cases are probably
well acquainted with programs like Shareaza that have sadly become infested with abusive and exploitive content.

In these types of investigations, proving the user has knowledge of the workings of sharing applications is often key to
securing convictions.

Changing download paths, types of files to share, or even whether or not the application has ever been run, can be found
within the Registry. These types of artifacts can negate defense claims that the user does not know how the application
works.

Why not let the user’s own actions speak for themselves? Some applications hide special little nuggets within the Registry.

Figure Eleven: Shareaza Registry values.

A lot of applications will store a user’s inputted data within the Registry. In Figure Eleven, we are looking at actual
keywords entered by the user. Imagine if this was a case where the user was claiming that the child exploitation material
on his computer was not intended to be downloaded. Then in the Registry, numerous keywords entered by a user were
consistent with the distribution of child exploitation material.

Once again, it cannot be stressed enough that none of this happens magically. As forensic professionals, you need to
spend the time testing, reading, and learning to be able to correctly articulate what is happening on the computer.

The Registry is vital to the Windows operating system. Keep in mind that there are often backups of the Registry found
on the computer. Windows 8 and 10 (and XP) use Restore Points to backup user and application settings. The Registry is
also captured in Volume Shadow Copies created by Windows 7 (8 and 10 too, assuming it has been enabled).

Although not intended to be used in forensic analysis, they are a source of historical data.

Examiners should never shy away from analysis of complex artifacts such as the Registry. Through research and education,
you can feel empowered to perform the in-depth forensics analysis.

10

Technical Specification | Windows Registry: A complete guide to examining the Windows Registry
www.cellebrite.com
CORPORATE APAC
8045 Leesburg Pike 150 Beach Road
Suite 220 #08-05/08 Gateway West
Vienna, VA 22182, USA Singapore 189720
Tel. +1 703 828-7854 Tel: +65 6438 6240
Fax. +1 201 848 9982 Fax: +65 6438 6280

ISRAEL AUSTRALIA
94 Derech Shlomo Schmeltzer St Level 9, 2 Phillip Law Street
Kiryat Aryeh, Petah Tikva PO Box 3925, Israel Canberra ACT 2601
Tel: +972 3 394 8000 Australia
Fax: +972 3 924 7104 Tel: +61 2 6243 4841

UK INDIA
First Central 200 Room No. 516, 5th Floor,
2 Lakeside Drive Tower C Green Boulevard
Park Royal B-Block Sector 62 Noida 201309
London NW10 7FQ, United Kingdom India
Tel: +44 20 3949 9521 Tel: +91 9811144437

GERMANY JAPAN

Herzog-Heinrich-Strasse 20, 100-0005東京都千代田区丸の内3-2-2

80336 München, Germany 丸の内二重橋ビル２F
Tel: +49 (0) 89 2 15 45 37 18 Level 2, Marunouchi Nijyubashi Building, 3-2-2
Fax: +49 (0) 89 2 15 45 37 99 Marunouchi, Chiyoda-ku,
Tokyo 100-0005 JAPAN
LATAM Tel: +91 9811144437

Av. Engenheiro Luiz

Carlos Berrini, 550-12º
Andar Brooklin
04571-000 São Paulo, Brazil
Tel: +55 11 3216 3800

About Cellebrite

For more than 20 years, Cellebrite has been the global leader and premiere provider of integrated digital intelligence solutions to law enforcement,
military, government, and private enterprises worldwide. We help resolve investigations faster by addressing the growing challenges of an expanding
digital world.

Developed in close partnership with our customers, our integrated suite of digital intelligence software, solutions, and training include: access to all
devices, digital platforms and applications when and where teams need it; management and control of all relevant data in a secure and collaborative
system; and powerful leverage to quickly reveal critical insights.

Our solutions seamlessly integrate with existing infrastructures that allow organizations to make command decisions more efficiently to better
protect their communities.

To learn more, visit: www.cellebrite.com