Registry Analysis
What is registry
Registry is a hierarchical database that serves as a central repository for
Configuration settings
Information about the software, hardware, and user preferences
In perspective of attacker, registry can be abuse to:
Setup persistence
Modify config such as WDigest
Disable WinDefender
Privilege Escalation
User Account Manipulation
And many more (https://redteamrecipe.com/Registry-Attack-Vectors/)
Registry hives explained
HKEY_CLASSES_ROOT
A symbolic link to HKLM\SOFTWARE\Classes
HKEY_CURRENT_USER
A symbolic link to the part of HKEY_USERS representing the currently logged in user's profile.
HKEY_LOCAL_MACHINE
Contains information about all the installed hardware and software.
HKEY_USERS
Contains preferences for each of the user profiles on the machine
HKEY_CURRENT_CONFIG
Symbolic link that points to the part in HKLM that applies to the current hardware configuration
Registry structure
Registry artifact location
%WinDir%\System32\Config\*
%WinDir%\appcompat\Programs\AMCACHE.hve
C:\Users\<username>\NTUSER.dat
C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT
Using Registry Explorer
Please refer: https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#triage-artifacts-parsing-and-analysis
Last updated