Windows Registry

What is the Windows Registry?

It is the central hierarchical database that's designed to store information that is necessary to
configure the system for one or more users, applications, and hardware devices. it looks more
like your Windows File Explorer, where you're going to see directories and subdirectories, and
maybe more subdirectories and then files within those subdirectories. It's a hierarchical
database and it's laid out that way as opposed to a relational database like an SQL database.
The Registry is perhaps the most overlooked treasure trove of forensic artifacts on a Windows
system. I truly believe that. It is a great source of evidence and supporting evidence and it's
going to be useful in validating your findings throughout your investigation.

Structure of the Windows Registry

The Windows Registry, like I said, is a hierarchical database. So we have hives, keys, sub keys,
values and data. And the data can be stored in a lot of different ways. We're going to see binary
data which will be shown to us in hex, we're going to see string data, we will see hex data like I
said and we're going to see BLOB data. We're going to see all kinds of data in the registry and
we do have to know how to interpret that data and how to interpret it properly.

How the registry works?

When we boot up our local system, the hive files. Like SAM, system, security, software. And to
user, these are all pulled into those handle keys and the handle keys are going to be
represented to us. we looked at RegEdit, we're going to see HKEY_LOCAL_MACHINE,
HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_USERS and HKEY_CURRENT_USER.
registry when it's running it's pulled up in RAM and it's pulled from those files and I just want
you to get an idea of what it's going to look like. We will go into which handle keys are pulled
from which hive files. But right now I just want to give you an idea of what the structure of the
registry is and what the registry is. The live registry, as we can see in the live registry again, we
have our handle keys.
HKEY_CURRENT_USER, That file is only going to be found on a live running system, it's only
going to exist in RAM, it's not going to exist on a dead box. What that is giving you, it's an alias
for the currently logged on user. So it's pulling from HKEY_USERS and coming up with
whichever user is currently logged on and giving it to you as HKEY_CURRENT_USER. Hardware
is also another file that will not be found on a dead box that file only exist in RAM. It is not
written to the hard drive and what that contains is BIOS and hardware configure information.
HKEY_CURRENT_CONFIG, and this file is only found on a live system and I just want to make
you aware that these three files are only going to be found on the live registry system.

Forensics Page 1
Registry Root Keys
In the Windows operating system, the Registry is a hierarchical database that stores
configuration information and settings for the system and its applications. The root keys are the
top-level branches of this hierarchical structure. There are five main root keys:
1. HKEY_CLASSES_ROOT (HKCR): This key contains information about file associations and
OLE(Object Linking and Embedding) object classes. It establishes the link between file
extensions (like .txt, .doc) and the applications used to open them.
2. HKEY_CURRENT_USER (HKCU): This key stores configuration information specific to the
currently logged-in user. It includes user-specific settings such as desktop configurations,
environment variables, and application settings.
3. HKEY_LOCAL_MACHINE (HKLM): This key contains information about the local computer
system. It includes settings that are applied system-wide, regardless of the logged-in user.
This key is particularly important for system-wide configurations and hardware settings.
4. HKEY_USERS (HKU): This key stores individual user profiles on the computer. Each user
who logs in has a unique subkey here.
5. HKEY_CURRENT_CONFIG (HKCC): This key contains information about the current
hardware configuration. It's particularly useful for systems with multiple hardware
profiles.
Visual Representation:

In section one, we took a look at the live registry. In section two, we prepared our environment by
downloading the specialized tools which we're going to use shortly.

In section three, we located and exported the registry files. And in section four, we located and
interpreted the system time from the system high file.

Above tasks are pending

Recent Docs (Registry Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

we're going to cover the Ntuser hive file. Now remember, this file contains the settings and
preferences for the users on the system. It also tracks quite a bit of user activity is we're going
to see throughout this. Each user on the system will have their own NTuser.dat that is specific
to that particular user.

-> NTUser.dat is a file in Windows that stores a user profile's personal files and preference settings. It's
written when a user logs in and is a copy of the Windows Registry's HKEY_CURRENT_USER hive.

Forensics Page 2
we are going to locate the mounted volumes specific to a user which will include some
removable devices. We're going to learn how to interpret the most recently used, the MRU lists.
We're going to examine the UserAssist key.

We're going to locate user search terms and relevant user settings, and find and interpret some
important user settings.

Path for recent Doc used:

Typed URLs(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs)

"Typed URLs" in the registry refers to a specific key within the Windows registry that stores a
list of website addresses (URLs) that a user has manually typed into the address bar of their web
browser, essentially acting as a record of the user's browsing history within that browser,
particularly in older versions of Internet Explorer; this information is used to populate the
browser's autocomplete dropdown menu when the user starts typing a URL.

Important details:
Not all URLs are recorded: URLs accessed through favorites or the homepage may not be
automatically added to "Typed URLs".You also want to keep in mind that another way this key
could be populated if an intruder breaches and accesses terminal services and uses a web shell.
Clearing browsing history: Deleting browsing history usually also removes the "Typed URLs"
registry entries and If the process is killed through task manager or command line, the entries
will not be written.
Privacy concerns: Since "Typed URLs" can reveal a user's browsing habits, it's important to be
aware of this registry key and its implications for privacy.

UserAssist
Path:- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\UserAssist

The UserAssist is one of those keys that is an indication of program execution and that can be
very important to our forensic examination.

Forensics Page 3
It is a key that is an indication of program usage and can give you, when you look at it, it's very
helpful in building your timeline when you're seeing what applications were being used at what
time. This key does monitor application usage as we've covered. The registry values are stored
in a way that they are obscured or obfuscated.
And this is populated each time we type into the start menu, our frequently used applications
gets populated. The more we use an application, the more we run an application, this
application then gets put into our start menu, so it helps us. It is supposed to be for the ease of
use and to help the user have a better experience. And that's the purpose of user assist.

Run counter:- run counter, which is going to tell us how many times the program was
executed.
Focus count:- The Focus Count in the Windows UserAssist registry key tracks how many times a
particular program or file has been interacted with (focused on) by the user.
Ex:-
What happens with the focus count every time the application, once it is launched goes out of
focus but then receives focus again then it's brought back into focus. Its minimize the task bar
and then you unminimize it and you're actively interacting with that application. The focus
count is going to be incremental and buy one at that point. And the system is going to start
tracking the focus time again.

Note:- The link file execution does not seem to track or at least track accurately focus count and focus
time. We do have a run counter and we do have a last executed and also we do not have a focus count,
our focus time. And these are programs executed through a shortcut link.

Recent apps:
Path:- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps

Forensics Page 4
 • Tracks recently used applications
• This key monitors application usage
• GUID subkey directly under RecentApps corresponds to an application
• Shows applications and files that were accessed through the application

we've covered the recent docs sub key and we took a look at the most recently used the MRU
lists and how we read those, how those are interpreted. We took a look at the type URLs
subkey for Internet Explorer, URLs typed in or completed by the auto complete or the drop
down box. We also took a look at user assist program execution by a specific user.

This also tracks recently used applications similar to user assist, but this key goes a little deeper
as we're going to take a look at shortly. It does monitor the application usage. We will see GUID
instead of the route 13 and each of these sub key, GUID will correspond to an application and
this is going to show us applications and files that were executed through that specific
application.

We also have file paths and we have the last access date and time and we have a launch count
how many times the program was launched. Now, this is the top level of the recent apps key
and this is files that have been accessed on the system.

Run and Run Once

Path:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• Programs run at startup
• These keys are executed when the specific user logs onto the system
• These keys can and have been used by bad actors

these are programs that are run at startup without any interaction or very little interaction by
the user. When you log onto your computer, these programs will run and these keys become
executed when the user logs into the system and unfortunately, these keys can and have been
used by bad actors. Malware can be a value within these keys and if it is, it will run at startup
without the user doing anything at all.

Now the run key is persistent and that may be one of the reasons that malware gets installed
there. Even if you shut your computer down and restart it, that run key is going to be triggered
and whatever values are under that run key will be executed. The run once key is not
persistent. It should do what exactly what it says run once and then the value should be
deleted.

Note:- If the value name under the run once key is prefixed with an exclamation point, then
that value will become persistent and it will act like the run key, it will start every time you log
into your computer or a user logs into their computer.

ComDialogue 32 subkey
path:- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\ComDlg32
This key is going to track application usage. It does contain four subkeys:
• CIDSizeMRU
• Firstfolder
• LastVisitedPidIMRU
• OpenSavePidIMRU

Forensics Page 5
 • OpenSavePidIMRU

CIDSizeMRU subkey: This tracks applications globally. It does contained an MRU order and a
key last access date. The MRU order will start at zero, and number up from there. There will be
a date and timestamp for the most recent entry only.

FirstFolder subkey: Tracks the installation location of applications. Tracks where applications
are installed. It will give you a full path to that application.

LastVisitedPidMRU: This tracks applications that are used to access the files in the
OpenSavePidMRU subkey. These are the applications that are used to open the files in the
subkey.

OpenSavePidMRU subkey: It tracks the locations where the file existed, but it does not track
the specific file. You will get a directory, a location in which that file was at one point in time,
but you will not get an exact filename.This is going to include files that are no longer on the
system. This is a good place for historical data also.
Each value also tracks the directory location for the last file that was accessed by the
application. The date is stored in a binary format. The data in this key, is stored in a binary
format. This is what the actual open save dialog box, on your computer when you open or save
a file, and you bring up the Save As and the dialog box comes up, and you click where you want
to save it. This tracks the last directory used by that application, to open or save our file. It does
keep its own MRU list. It does have a last right, timestamp. The one sub-key with the asterisk,
like we saw earlier in the slides, this key tracks the last 20 files of any extension, including files
that don't have an extension.

Typed Paths Subkey

Path:- Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

A "Typed Paths Subkey" is a Windows Registry key that stores a record of the last few file paths
a user has typed or pasted into the address bar of File Explorer, essentially acting as a recent file
path history.

Forensics Page 6
Microsoft Office applications and the MRU subkey
Path:- HKEY_CURRENT_USER\Software\Microsoft\Office
In the context of Microsoft Office, "MRU" stands for "Most Recently Used," and the MRU
subkey is a section within the Windows registry that stores a list of the most recent files opened
by a user in any Microsoft Office application like Word, Excel, or PowerPoint, allowing quick
access to recently used documents; essentially, it's a record of the user's recent activity within
Office applications.
This will contain an MRU order, a key last access date, a full file path, a filename, and a last
access date for each individual files, and this is only for Microsoft Office applications.

SAM hive file

SAM - Security Account Manager
• The SAM file is a root key of the HKEY_LOCAL_MACHINE hive
• C:\Windows\System32\config\SAM
• Control Panel > User Accounts or Manage > Local Users and Groups > Users
• Manage utility (by right-clicking My Computer, then clicking Manage)
• This file is protected, not edited through RegEdit
• A new user added to the system, the new information is stored in the SAM file under the
Users subkey

The SAM hive file and SAM stands for Security Account Manager. We're going to take a look at
identifying each individual users account and we're going to use something called a relative
identifier or you'll hear rid for short. And we're going to be able to identify each user on that
particular system. We're going to talk about how we interpret the user name information, how
we resolve those user names back to those rids. We're going to look at the log in dates and
times. We're going to take a look at how many times the user logged on the log in count. We're
going to learn how to interpret the machine identifier, the SIDS, the security identifiers, the
machine or domain, they can be either or. And we're going to take a look at user login password
hashes and we're going to talk a little bit about how we would work through that to decode or
decrypt the log on password.

the SAM file does is it stores are information and it organizes the information about each user
on the system and like we talked about it has log in password hashes. It will also have group
information. There's default groups on the machine that are built in accounts and we can also
create our own specialized user groups.

The security identifiers are broken down into three parts. The first part we have are issuing
authority, then we have our machine or domain identifier, and then our last part is our RID,
which is our relative identifier, which identifies the individual user.

Forensics Page 7
Here's a breakdown of the information:
• S: Indicates a Security Identifier
• 1: Version number (usually 1)
• 5: Issuing authority (typically 5 for NT Authority)
• 21: Sub-issuing authority (indicates that this is a globally unique identifier)
• 4170029212-1172637219-3505949841: Machine identifier (unique to the domain or
computer)
• 1001: Relative Identifier (RID) - a unique identifier for a specific user or group within that
machine.

User accounts, and RIDs

RID is the last portion of our total security identifier, and the RID identifies each individual user
on the system. If you're looking at a vista or seven machine, the RIDs are going to start at 1000,
the user created accounts are going to begin with 1000. If you're looking at Windows 8 and 10,
or you can say Windows 8 and up, the user-created accounts are going to start with a RID of
1001. Now, each time a new user is added, these numbers are incremented by one. It's very
important to remember these numbers are never reused.

Password Hashes
• Few things to remember that there is no plain text stored password in the SAM file.
• The sam file does contain the 60. It is now a 56 bit. NTLM hash of the password.
• This hash is encrypted with an A E S. Algorithm and this key this A S algorithm is stored in
the system file.
• So to decrypt these hashes and come up with the log on users password. We are going to
need both the SAM and the system files.
This is a password cracking methodology that is repeatable. And this is tailored to the NTLM
hash values. The first thing we're going to do is go ahead and export the SAM and the system
Hives. System files from forensic image.

Then we're going to need to utilize a tool to unencrypt the encrypted NTLM hashes.

The next thing, what you would need to do is create a wordless from your case. And the reason
you're doing this is you're hoping that there is a word somewhere on that hard drive that will
help you decrypt that password.

Forensics Page 8
help you decrypt that password.

So you're going to export the word list. You can do this with one of your forensic sweets. X
ways, FTK axiom. All of them will export wordless.

Then what you're going to do is you're going to use another tool and you're going to run a
dictionary attack. And if that doesn't work, you can run a brute first attack against the NTML
Hash to recover the password.

For a password cracking tool you could use whatever tool you want you can use, John the
ripper, Kane and Abel. And again, you would run a dictionary attack using that word list that you
exported. And if that didn't work, you can go ahead and try a brute force attack against the
NTML hashes that you recovered using another tool, whether it's Mimikats or whatever tool
you choose to use.

Software hive:
• The software file is a root key of the HKEY_LOCAL_MACHINE hive
• C:\Windows\System32\config\Software
• Installed programs and applications
• Operating system type and install date and time
• Wireless network information
• File association
• Logon information
• Attached devices

Key Areas of Forensic Interest

User Logon Information:
• Subkeys:
○ Winlogon: Manages user logon operations and profile loading.(Microsoft\Windows
NT\CurrentVersion\Winlogon)
LogonUI: Tracks the last logged-on user.(Microsoft\Windows\CurrentVersion

Forensics Page 9
 ○ LogonUI: Tracks the last logged-on user.(Microsoft\Windows\CurrentVersion
\Authentication\LogonUI)
• Key Forensic Data:
○ Last logged-on user:
▪ Username: Indicates who last accessed the system.
▪ Security Identifier (SID): Ties the username to a unique system identity.
○ Autologon Details:
▪ SID of users with auto logon capability.
○ Legal Notices:
▪ Captures text displayed during logon (useful for corporate environments or
compliance).
○ Timestamps:
▪ Last write time: Reveals when the key was last updated.
Autostart Locations:
• Subkeys:
○ Run: Lists programs set to launch at every startup.
○ RunOnce: Contains programs scheduled to run once and then delete themselves.
• Key Forensic Data:
○ Identifies potential malware or unauthorized programs set to run automatically.
○ Timestamp of the key helps pinpoint when entries were added.
• Path: Microsoft\Windows\CurrentVersion\Run.

File Associations:
• Tracks which applications are associated with specific file types.
• Example:
○ .docx files open with Microsoft Word or another program like OpenOffice.
• Useful for determining user preferences or anomalies.
• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes

Wireless Network Information:

• Stores details about wireless networks the system has connected to.
• Key Forensic Data:
○ List of previously connected wireless networks.
○ First and last connected times.
○ Security settings (WEP, WPA, etc.).
• Can help identify locations or movement patterns.
• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\NetworkList\Profiles

Installed Programs and Applications:

• The Software Hive records all installed programs on the system.
• Key Insights:
○ Program names, versions, and installation timestamps.
○ Potentially malicious or unauthorized software.
○ Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Printers:
• Subkey:
○ Microsoft\Windows NT\CurrentVersion\Print\Printers.
• Key Forensic Data:
List of installed printers.

Forensics Page 10
 ○ List of installed printers.
○ Metadata related to online accounts linked with printers, like OneNote.

Network List Subkey

Networks and browsers
• Wireless network connections
• Installed internet browsers
• Default internet browser

1. Wireless network connections

Subkey name: NetworkList
NetworkList is a subkey within the Windows registry that stores information about network
connections.
• Location: Microsoft\Windows NT\CurrentVersion\NetworkList

Subkey name: Profiles

The profile subkey contains network information stored by GUID, and this information contains
the date first connected and the date last connected. It'll show us the date that this was first
connected to the wireless network and the date this particular machine was last connected to
this wireless network.
• Location: Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Subkey name: Signatures

The signature subkey gives us a little bit more information about the wireless network. The
signature subkey stores profile information in the gateway MAC address of the network that
was connected to. The signature subkey also has two additional subkeys below it called
managed and unmanaged.
• Location: Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures

Managed subkey: The managed subkey indicates a managed network like a domain.
Unmanaged subkey: The unmanaged subkey indicates a simple network connection like a
home computer or wireless router.

Forensics Page 11
2. Installed and default browsers
• Identify which browsers are installed on the system.
• Determine which browser is currently set as the default.
• Potentially change the default browser through modifications to this registry entry.
Subkey name: MenuInternet
This is the subkey name within the Windows registry where information about installed web
browsers is stored.
• Location: SOFTWARE\Clients\StartMenuInternet\

Connected Devices

USB devices
Subkey name: Devices subkey
The device is sub key tracks windows portable devices. So it's going to track USB devices.
• Location: Microsoft\Windows Portable Devices\Devices

Subkey name: EMD Mgmt subkey

The EMD management sub key is a little bit different. It was put there as an extension of
memory. It actually stands for EMD stands for external memory device management. it tests
the USB device to see if it can be used as external memory to extend your device memory. If it
passes the test, you'll see it too in the devices status value. And this indicates that the device
passed the test and can be used as cache memory. Any other value in that devices, status
column indicates that the device did not pass and it cannot be used to extend the cache
memory.
• Location: Software\Microsoft\Windows NT\ CurrentVersion\EMDMgmt

Forensics Page 12
This two things we can see in the EMD management sub key that are very important to us. And that is
the volume name and the volume serial number. Now, this sub key might not have any information
under it. It doesn't always have anything and it doesn't always have both the volume name and the
volume serial number. But if you are lucky enough to get that, it is like the holy grail when you're going
to investigate a system. Because those two values are going to allow you to track things back to link files
within the system very easily.

System Hive
The system hive file contains configuration and setting information about the system and
devices that have been attached to the system, like USB or other types of portable devices also
contains information about programs and services that are started by the system. These are
auto start type programs that are started by the system, sometimes with little or no interaction
from the user and the user may not even be aware they're running.
HKEY_LOCAL_MACHINE Hive
Location: C:\Windows\System32\config\SYSTEM

Determining the Current Control Set:

A key located under "HKEY_LOCAL_MACHINE\SYSTEM" which stores critical information about
the current system configuration, including details about device drivers, services, and system
startup settings; essentially, it represents the active set of settings used by the operating system
at any given time.
Location: You can find it at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet".
Function: It holds important settings for system operation, including information about
installed drivers, startup configurations, and device configurations.
Multiple Control Sets: Windows often maintains multiple "ControlSet" entries (like
"ControlSet001" and "ControlSet002") which can be used for backup or recovery purposes, and
the "CurrentControlSet" acts as a pointer to the currently active configuration.

We're going to take a look at the computer name, we're going to take a look at the last
shutdown time. We're going to look at the crash dump settings and where they're located.
We're going to take a look at services set to run and those are those services that are started by
the system itself, not by the user.

Forensics Page 13
we're going to take a look at the last access file time settings, whether our firewall last access
times are being tracked or not, there's a setting for that in the registry, that will tell us whether
or not last access file timestamps are being updated. We are going to take a look at all those
keys.

When we look at a live running machine, a live running computer system, you're going to see at
least two control sets, it's possible you may see more than two, but there will be at least two
control sets and we need to determine which is the current one so that we're looking at the
most current controls set we are examining the computer. That is not to say that you don't
need to look at both of them because you may want some historical information or there may
be something in there that you're looking for specifically.

Computer Name:
Location: ControlSet001\Control\ComputerName

The computer name can be something that a user gives their own computer when they go
through the setup and the installation, or it can be a computer name that it came with from the
factory. The computer name may or may not tell us very much, but we at least want to know
that because you want to be able to document that new report. Because if you're dealing with,
say, a large intrusion, you're dealing with a large incident response and you're dealing with
several computers, you don't want to start getting confused on one information came from
where.

Memory management
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
\Memory Management

A set of settings within the Windows registry that control how the operating system allocates
and manages computer RAM, allowing administrators to fine-tune how much memory is
allocated to different system components like the system cache or session space, essentially
optimizing memory usage on a system level.
Function:
By modifying values within this key, users can adjust parameters like the size of the system
cache, the amount of memory allocated to different processes, and how the operating system
handles paging data between RAM and hard disk.

memory management is going to tell us whether or not the page file is being cleared, it shut
down. If we wanted to do some examination into the page file, because the page file is where
some memory information, some RAM information may be written to the hard disk. If you have
maxed out your RAM, sometimes you're using your page file, it's a swap file, and your system
will put things into this page file that you're not actively using, but you have up in memory to
allow for more space for new things to be put into memory. If your page file is being cleared, it
shut down, we do want to know. If we see a zero in that value data, that means that the page
file is not being cleared. If we see a one in the data, that means the page file is being cleared,
it shut down, and that would be something we would want to know. Service subkey.
Page File Settings:

Key: Control\Session Manager\Memory Management

Value: ClearPageFileAtShutdown
Location: ControlSet001\Control\Session Manager\Memory Management

Forensics Page 14
 Location: ControlSet001\Control\Session Manager\Memory Management
Purpose: Indicates whether the page file is cleared at shutdown.

Crash Dump Settings:

Key: Control\CrashControl
Values: DumpFile, MiniDumpDirectory
Location: ControlSet001\Control\CrashControl
Purpose: Indicates where crash dump files are stored.

Services:
Location: ControlSet001\Services
The service subkey is going to list a lot of services that are being run, services programs that are
being run when the system is booted, and this is on a possible location for a persistent
malware. Because like I said, these run without interaction from the user, usually, they run
without you even knowing they're running. If somebody was going to put some type of malware
on the system and wanted to be sure that it was persistent, in other words, every time the
computer rebooted it restarted, this would be a good place to put it, and it would run with very
high permissions because this is run by the system, not by the actual user.

Key: Services
Values: ImagePath, DisplayName, Start
Location: ControlSet001\Services
Purpose: Lists services started by the system, potential locations for persistent malware.

Prefetch Parameters:
Key: Control\Session Manager\Memory Management\PrefetchParameters
Values: EnablePrefetcher
Location: ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters
Purpose: Indicates prefetch settings (disabled, application launching, boot process, both).

Last Access File Time Settings:

Key: Control\FileSystem
Value: NtfsDisableLastAccessUpdate
Location: ControlSet001\Control\FileSystem
Purpose: Indicates whether last access file timestamps are being tracked.

USB Device:
USB device tracking in Windows involves examining registry keys that store information about
connected and mounted USB devices. One key area is the USBStore registry path (HKLM
\SYSTEM\CurrentControlSet\Enum\USBSTOR), which logs details about USB storage devices
that have been connected to the system. This subkey contains multiple entries representing
different devices, each with information on installation, connection, and disconnection times.

Forensics Page 15
Another crucial registry key is Mounted Devices (HKLM\SYSTEM\MountedDevices), which
tracks mount points and drive letter assignments, helping to determine how USB devices were
integrated into the file system. These registry locations are essential for forensic investigations,
enabling analysts to track historical USB connections, detect unauthorized device usage, and
gather evidence related to system activity.

In Windows 10, the USB Store registry key logs important timestamps for USB devices, including
the first install date (initial connection), last install date (driver update/reinstall), last arrival
date (last connection), and last removal date (last disconnection). These are stored under the
Properties subkey within the 83DA63 GUID, with specific identifiers: 0064 (first install), 0065
(last install), 0066 (last arrival), and 0067 (last removal). Additionally, the Parameters subkey
contains PartMgr, which provides further device management details. This data is valuable for
tracking USB activity and forensic analysis.

Forensics Page 16
PartMgr:
The PartMgr (Partition Manager) subkey under USB Store contains key details about a
connected USB device, including its Disk ID and partition-related information. The Disk ID is a
unique identifier for the device and can be searched throughout the registry to correlate with
other entries. Another important value within PartMgr is PartitionTableCache, which stores the
Partition GUID or Volume GUID of the device if it is recognized as a fixed disk.

When analyzing this data, the presence of an EFI system partition indicates a GPT partitioned
disk. The PartitionTableCache contains a 16-byte Disk GUID, which uniquely identifies the disk
itself, not just the partition type. This information is crucial for forensic analysis, as it helps track
USB storage devices, match them with other registry entries, and determine how they were
formatted and used on the system.

Forensics Page 17
formatted and used on the system.

AppCompat Cache:
The AppCompatCache, created by Microsoft, helps identify application compatibility issues and
allows 32-bit programs to run on 64-bit systems. It tracks file paths, file sizes, last modified
times, and is written to the system hive only at shutdown. However, it logs only specific file
extensions like executables, batch files, DLLs, and applications.
For forensic investigations, AppCompatCache is valuable because it retains records of deleted
applications, making it useful for detecting previously installed programs and potential
malware. While it does not confirm execution, it provides strong evidence of past file presence,
making it an important resource for incident responders analyzing system compromises.

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

\AppCompatCache

Note: AppCompatCache indicates installation but not execution.

Background Activity Moderator (BAM)

The Background Activity Moderator (BAM) is tracks background applications and their
execution times. Available in Windows 10, BAM records data by user SID, allowing investigators
to link processes to specific users.
BAM logs include file paths, executable names, and timestamps in 64-bit little-endian file time
format, confirming program execution. While it also tracks Windows apps, parsing them can be
challenging. Used alongside other forensic artifacts, BAM provides valuable insights into user
activity, making it a crucial tool in digital investigations.

Path: ControlSet001\Services\BAM
Note: BAM confirms execution and links activity to a user.

Shellbags( userclass.dat hive)

ShellBags are Windows artifacts that store folder settings and track access to directories. These
records are essential in forensic investigations as they provide evidence of user activity,
including access to folders and zip files, even if they have been deleted. Additionally, we will

Forensics Page 18
including access to folders and zip files, even if they have been deleted. Additionally, we will
analyze the recent files stored in the Microsoft Photo app, which can further help in tracking
user activity and file access history.
Location: Local Settings > Software > Microsoft > Windows > Shell > Bags

Tools :
Eric Zimmerman's ShellBag Explorer
Registry Explorer

ShellBags store various settings related to Windows Explorer, such as:

• View preferences (icons, details, list, etc.)
• Window size adjustments
• Access to zip files and folders (including deleted ones)
• Access to folders on removable media

Key components include:

• Bag MRU Key: Contains MRU (Most Recently Used) lists that track user interactions with
folders.
• NodeSlot: Defines folder relationships and helps in reconstructing folder hierarchy.
• GUID Values: Represent different folders and their associated settings.
• Last Write Timestamps: Indicate the last interaction time with a folder, crucial for timeline
reconstruction.

MuiCache and Managed By App Sub-Keys

The UsrClass.dat hive is an essential part of Windows Registry forensics, containing user-
specific information related to application execution and file access. Each user on a Windows
system has their own UsrClass.dat file,
located at:
C:\Users(User Name)\AppData\Local\Microsoft\Windows. This file stores data about user
activity, making it a valuable resource for forensic investigations.

One of the key subkeys within UsrClass.dat is ManagedByApp, which tracks images opened
with Microsoft applications. This subkey records a Volume GUID, which helps link a file to its
storage device, whether it is a local drive or a removable USB device. The registry also provides
the full file path of the image, along with a date and time stamp, making it possible to
determine exactly when a file was accessed. The registry path for ManagedByApp is deeply
nested:

Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData
\Microsoft.Windows.Photos_8wekyb3d8bbwe\PersistedStorageItemTable\ManagedByApp.

Another critical subkey is MuiCache, which records user-specific program execution. Unlike
ManagedByApp, it does not store individual timestamps for each application but does provide
the last written timestamp of the key. It also retains the full file path of executed applications,
making it useful for tracking software usage. Even if a user uninstalls a program, evidence of its
execution remains in MuiCache, which can be crucial in forensic cases involving anti-forensic
tools like CCleaner or steganography applications. The registry path for MuiCache is:
Local Settings\Software\Microsoft\Windows\Shell\MuiCache.

Forensic investigators rely on Registry Explorer to analyze these subkeys. By examining

Forensics Page 19
Forensic investigators rely on Registry Explorer to analyze these subkeys. By examining
ManagedByApp, they can identify the files a user accessed and determine whether they were
stored on an external device or the local system. This process involves analyzing the GUID
entries, which correspond to specific images and volumes. Investigators can further decode
timestamps using tools like Decode, ensuring accurate time correlation.

To confirm forensic findings, analysts cross-reference data across multiple registry hives. The
Shellbags registry stores folder interaction history, while the NTUser.dat hive (MountPoints2
key) records volume GUIDs linked to removable storage devices. Additionally, the System hive
(USB Store and Partition Cache) provides information about the USB device’s serial number,
connection history, and partition structure. By linking these sources, investigators can establish
a clear timeline of user activity.

A significant forensic discovery from ManagedByApp is its ability to connect a USB device to a
user account. This means that even if a suspect removes the storage device, forensic evidence
within the registry can confirm its previous presence and use. Investigators can retrieve details
such as the installation time, serial number, driver information, and connection history, which
are crucial in cases involving illicit content or unauthorized file access.

Similarly, MuiCache provides essential insights into program execution. Even if a user removes
or deletes an application, its history remains in the registry. This can be particularly useful in
cases where suspects try to cover their tracks by uninstalling forensic tools, hacking software, or
applications used for illegal activities. While MuiCache lacks exact timestamps for each
application launch, its data still helps identify the types of programs a user interacted with.

AmCache Hive:
The AmCache hive, located at C:\Windows\AppCompat\Programs\AmCache.hve, was
introduced in Windows 8 to store execution history of applications, including those run from
removable media and even deleted applications. It records various artifacts such as timestamps
(install, modification, and last write dates), executable details (name, version, full path, uninstall
string), and SHA-1 hash values (excluding four leading zeros) for security analysis.

Additionally, it logs volume GUIDs, container IDs of connected devices, and relevant registry
paths. Several subkeys provide critical forensic insights: the DeviceCensus subkey details
hardware components like the processor and firmware, while the File subkey stores full paths
to executable files, including those executed from USB drives. The InventoryApplication and
InventoryApplicationFile subkeys record program metadata, install details, and hash values for
potential malware detection.

The InventoryDeviceContainer and InventoryDevicePnP subkeys track connected and plug-

and-play devices, respectively, while the Programs subkey stores information on installed
software, including source and uninstall paths.

AmCache is highly valuable in forensic investigations, particularly for identifying malware,

tracking deleted applications, and detecting executions from removable media. Analysts can
cross-check AmCache data with artifacts like shellbags and mounted devices for a
comprehensive forensic picture.

Forensics Page 20
Forensics Page 21