search

Registry Analysis

hashtag
What is registry

Registry is a hierarchical database that serves as a central repository for

  1. Configuration settings

  2. Information about the software, hardware, and user preferences

In perspective of attacker, registry can be abuse to:

  • Setup persistence

  • Modify config such as WDigest

  • Disable WinDefender

  • Privilege Escalation

  • User Account Manipulation

  • And many more (https://redteamrecipe.com/Registry-Attack-Vectors/)

hashtag
Registry hives explained

Registry hives
Description

HKEY_CLASSES_ROOT

A symbolic link to HKLM\SOFTWARE\Classes

HKEY_CURRENT_USER

A symbolic link to the part of HKEY_USERS representing the currently logged in user's profile.

HKEY_LOCAL_MACHINE

Contains information about all the installed hardware and software.

HKEY_USERS

Contains preferences for each of the user profiles on the machine

HKEY_CURRENT_CONFIG

Symbolic link that points to the part in HKLM that applies to the current hardware configuration

hashtag
Registry structure

hashtag
Registry artifact location

System registry
Current user registry

  • %WinDir%\System32\Config\*

  • %WinDir%\appcompat\Programs\AMCACHE.hve

  • C:\Users\<username>\NTUSER.dat

  • C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT

hashtag
Using Registry Explorer

Please refer: https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#triage-artifacts-parsing-and-analysisarrow-up-right

PreviousEvent Log AnalysisNextMemory dump analysis

Last updated