34 Windows Registry - University of Rhode Island › ~thenry › csc414 › 34... · REG_NONE No...
Transcript of 34 Windows Registry - University of Rhode Island › ~thenry › csc414 › 34... · REG_NONE No...
CSC414ComputerSystemFundamentals
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
TheWindows Registry
TheWindows Registry
Windows Registry
Windows RegistryHardware & software information
- Current and previously attached hardware
- User preferences and configuration settings
- Program usage and timestamps
Logical view- Hierarchy of folders (keys)
- Five top level categories (hives)
- Viewed using regedit.exe, regedt32.exe or specialized programs AccessData Registry Viewer
Physical View- Actual files containing registry data
- Transaction log of changes
Registry HivesTop-level logical grouping of keys
Hive Name Abbreviation Description
HKEY_LOCAL_MACHINE HKLM Local system hardware, device drivers, services, and machine-specific application data information
HKEY_USERS HKU Pre-logon default user profile information for all users on the system
HKEY_CURRENT_USER HKCU Currently logged on user profile information- link to user key in HKU
HKEY_CLASS_ROOT HKCR Link to subkey in HKLM that configuration and file associations for installed software
HKEY_CURRENT_CONFIG HKCC Link to subkey in HKLM that contains current hardware configuration and some software per-computer application settings
Registry KeysAttributes
- Reference path name
- Uses \ character for levels
- Not the file name of a key
- Permissions
- Can be set for user or group
- Last Access
- Need third party Registry editor to view properties
HKEY_CURRENT_USER\Control Panel\Cursors
Registry KeysValues
- Name
- (Default) is default value for the key
- Type
- Used to interpret data bytes
- Size of data
- Data
- Actual data for the value
Type Name Meaning
REG_NONE No Type just raw bytes
REG_BINARY Binary binary data value
REG_DWORD Double Word four byte value
REG_SZ Stringsingle line string terminated by a null character
REG_EXPAND_SZ Expandable Stringcommonly used for environment variables
REG_MULTI_SZ Multi-line Stringeach line is terminated by a null character
Local Machine HiveHKEY_LOCAL_MACHINE (HKLM)
- SYSTEM
- Current system set up
- ControlSets of hardware & device drivers
- Alternative system configurations
- Enum lists attached devices
- Including USB sticks and drives
- Mounted file systems (MountedDevice)
- Random Number Generator (RNG) seed value
- C:\Windows\System32\config\SYSTEM
- C:\WIndows\System32\config\SYSTEM.LOGVirtual Memory Page File Location
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Local Machine HiveHKEY_LOCAL_MACHINE (HKLM)
- SOFTWARE
- Configuration settings & preferences for programs
- Registration information for programs- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
- Run
- Software that runs when system starts up
- WinLogin
- Login window configuration information
- C:\Windows\System32\config\SOFTWARE
- C:\WIndows\System32\config\SOFTWARE.LOG
Local Machine HiveHKEY_LOCAL_MACHINE (HKLM)
- SAM- System and Accounts Management
- Account information for domains accessed with this system
- Permissions prevent viewing
- C:\Windows\System32\config\SAM
- C:\WIndows\System32\config\SAM.log
Local Machine HiveHKEY_LOCAL_MACHINE (HKLM)
- SECURITY- Permissions prevent normal viewing- C:\Windows\System32\config\SECURITY- C:\WIndows\System32\config\SECURITY.LOG
- HARDWARE- Hardware that Windows detects during start up- Not stored in a file
- Created dynamically at start up- BCD00000000
- Boot Configuration Data for Vista and Windows 7- For XP and earlier, data was stored in C:\boot.ini- C:\Boot\BCD- EFI System Partition
Users HiveHKEY_USERS (HKU)
- Subkeys contain user specific preferences, configuration and activity information
- System Accounts- S-1-5-18: Local System
- account with high privileges- S-1-5-19: Local Services
- running local services that do not need Local System account privileges
- S-1-5-20: Network Services- running network services that do not require
Local System account privileges- .DEFAULT
- default account user information
Users HiveHKEY_USERS (HKU)
- SID - security identifier for a user
- SID_CLASSES contains per-user class registration and file associations
C:\Users\%userprofile%\NTUSER.DATC:\Users\%userprofile%\NTUSER.DAT.LOG C:\Documents and Settings\%userprofile%\NTUSER.DATC:\Documents and Settings\%userprofile%\NTUSER.DAT.LOG
Users HiveHKEY_USERS (HKU)
- Important Keys for Forensics- Network
- Mapping of networked drives- Environment
- Default local of temporary user files- Volatile Environment
- Login and account information for current user
- Software
- Contains configuration and usage information for programs
HKU\{SID}\Software\Microsoft\Windows\CurrentVersionHKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run
Current HivesHKEY_CURRENT_USER (HKCU)
- Links to the currently active user account and class information in the HKU hive.
HKEY_CLASSES_ROOT (HKCR)
- HKCR is a mesh of the default in HKLM\Software\Classes
HKEY_CURRENT_CONFIG (HKCC)
- Links to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current
THINK BIG WE DO
U R Ihttp://www.forensics.cs.uri.edu
Digital Forensics CenterDepartment of Computer Science and Statics
The Windows RegistryThe Windows Registry