FORENSICS EXAMINATION OF WINREGISTRY

1.Automatic Startup Locations

Identify programs that automatically run when Windows starts, which can include
legitimate applications, malware, or unwanted software.

Key Registry Paths:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnc
e
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
Explorer\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explo
rer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Microsoft has a portable utility available to investigate all autorun programs called Autoruns

2.Installed Program Keys in the Windows Registry

Extract list of installed programs. Look for programs that should not be present or software that
may indicate malicious activity.
3.USB Device Forensics
Track the usage of USB storage devices on the system, which can be relevant for data
exfiltration or introduction of malicious files.
1.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
2.HKEY_LOCAL_MACHINE\SYSTEM\MountedDevice

3.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ MountPoi
nts2

4.HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Enum\Usb

5.Identify the first time device was connected

To automate the process of finding information about the current and previous USB
connected devices, you can download a free tool by Nirsoft that can perform all the tasks
we just did manually; this tool is called USBDeview After executing this tool on the
target system, extended information (e.g., device name/description, device type, serial
number, and much more) about each connected USB device will appear.
4.Most Recently Used List
Identify recent user activities, including documents and programs accessed, providing insight
into user behavior.
Executed Programs List- List of programs and batch files that have executed previously on the
target machine.
Open Save Files View- List of files that have been previously opened on the target machine
using the standard open/save dialog box of Windows.

5.Windows Shutdown Time

Under the ShutdownTime value. The shutdown value is stored using a binary value; to decode it
to a readable form, use a tool called DCode from Digital Detective.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows: Contains
ShutdownTime value in binary format.
UserAssist Forensics Objective: Examine frequency and context of application usage. Key
Registry Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Use rAssist:
Stores encoded data on executed programs. Tool: UserAssist-View: Decodes and displays
information from the UserAssist registry. Printer Registry Information Objective: Investigate
printer settings and history. Key Registry Locations: HKEY_CURRENT_USER\Printers:
Settings of the user’s default printer.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers: Contains
details on all installed printers.