Registry Analysis

What is registry

Registry is a hierarchical database that serves as a central repository for

  1. Configuration settings

  2. Information about the software, hardware, and user preferences

In perspective of attacker, registry can be abuse to:

  • Setup persistence

  • Modify config such as WDigest

  • Disable WinDefender

  • Privilege Escalation

  • User Account Manipulation

  • And many more (https://redteamrecipe.com/Registry-Attack-Vectors/)

Registry hives explained

Registry hives
Description

HKEY_CLASSES_ROOT

A symbolic link to HKLM\SOFTWARE\Classes

HKEY_CURRENT_USER

A symbolic link to the part of HKEY_USERS representing the currently logged in user's profile.

HKEY_LOCAL_MACHINE

Contains information about all the installed hardware and software.

HKEY_USERS

Contains preferences for each of the user profiles on the machine

HKEY_CURRENT_CONFIG

Symbolic link that points to the part in HKLM that applies to the current hardware configuration

Registry structure

Registry artifact location

System registry
Current user registry

  • %WinDir%\System32\Config\*

  • %WinDir%\appcompat\Programs\AMCACHE.hve

  • C:\Users\<username>\NTUSER.dat

  • C:\Users\<username>\AppData\Local\Microsoft\Windows\USRCLASS.DAT

Using Registry Explorer

Please refer: https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#triage-artifacts-parsing-and-analysis

PreviousEvent Log AnalysisNextMemory dump analysis

Last updated