Presentation is loading. Please wait.

Presentation is loading. Please wait.

Registry Root Hives.

Published byMária Marešová Modified over 5 years ago

Similar presentations

Presentation on theme: "Registry Root Hives."— Presentation transcript:

1 Registry Root Hives

2 In This Lecture HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE System Hive
Software Hive HKEY_USERS HKEY_CURRENT_USER HKEY_CURRENT_CONFIG

3 HKEY_CLASSES_ROOT (HKCR)
Used to describe the default program that opens an extension on the system. Also stores the right-click menu’s details and the program icon. Each subkey is named after one of the file extensions found in the system. E.g. .exe, .jpg In a multiuser system each user has this information loaded from their profile information in the registry.

4 HKCR Analysis Determine which program opened a specific file type, such as executables with the .flv extensions. First search for the .flv subkey and then look at it’s associated value.

5 HKCR Analysis Search in same registry subkey for VLC.flv to find the executable’s path. In this case the default program is VLC media player. Note, the path beings in the HKEY_LOCAL_MACHINE root key.

6 HKCR HKCR loads its information from:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes HKEY_CURRENT_USER\SOFTWARE\Classes Which is usually an alias to HKEY_LOCAL_MACHINE\SOFTWARE\Classes But when a user registers a different file type association, it is stored in HKCU\SOFTWARE\Classes. If a conflict betwen HKLM and HKCU, Windows loads from HKCU.

7 HKEY_LOCAL_MACHINE (HKLM)
Configuration and Settings used by the system during start-up. Independent of user login. Five important subkeys System: System configuration information:. Computer Name System Time Zone Network Interfaces Software: Settings and Configurations about installed applications and operating system services.

8 HKLM Subkeys ctd: SAM: Security Account Manager
Stores user and group security information Summarizes total user rights on local system and domain. Username Unique SID User password hash. (will extract from memory in a few weeks) Will be empty if opened from a running system by regedit because of Windows security. Security: System security policies, if any Hardware: Hardware devices connected to system.

9 System Hive HKLM\SYSTEM\CurrentControlSet\Services
Analyzing Services can be an important part of investigations including system compromises, data breaches, and even malware infections. Services are a persistence mechanism for malware as many autostart when system is started. Services often run with elevated privileges.

10 Services Example: BITS
Background Intelligent Transfer Service

11 Services - BITS Start value: 3 indicates manual start.
2 would indicate automatic start on boot Can also see the display name as a reference to a string in a DLL. Can see image path. Weird paths help us identify suspicious services. Will be obvious is a malicious executable is referenced in the image path value

12 Services - BITS Can see image path.
More subtle method is loading a malicious DLL into a valid executable. ImagePath will reference legitimate Windows file, frequently \system32\svchost.exe Malicious DLL will be referenced in the Parameters subkey under the ServiceDLL value.

13 Services - Bluetooth \System\CurrentControlSet\services\BTHPORT\Parameters\Devices Contains the device IDs, MAC addresses, names for devices seen by the Bluetooth radio. RegRipper bthport.pl plugin will help.

14 Enum\Root May see subkeys starting with “LEGACY_”. Subkey names “0000”

15 Enum\Root LEGACY_IMDISK is a virtual disk driver.
The key in here refers to a legacy driver. LastWrite time for LEGACY_IMDISK is “Tue Jan 4 11:35: (UTC)” correlates to the first time the device driver was launched. LastWrite time for LEGACY_IMDISK\0000 key is Wed Jan 5 16:50: (UTC) which refers to the last time the driver was launched. Legacy Driver keys can persist even after the driver is uninstalled.

16 Software Hive Remember, still part of HKEY_LOCAL_MACHINE
Holds information about installed software, and system-wide configuration.

17 ProfileList \SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Details about the system’s user profiles. Includes location of each profile. Does not include configurations and settings.

18 Applications Found in the root of the software hive and in subkeys thereof.

19 Applications - Uninstall
\Microsoft\Windows\CurrentVersion\Uninstall Keys may contain Names or GUIDs Installation date Install Path and source Strings used to uninstall Most often the result of applications that are installed via an installation package, such as the Microsoft installer. Applications that are simply copied executable files typically do not create installation and uninstall keys.

20 Applications Installed By MSI
Microsoft Installer Package Files ending in “.msi” Found in \Classes\Installer\Products Each subkey named a long sequence of hexadecimal characters ProductName value gives the name. Use msis.pl plugin for RegRipper. Will also sort by their key LastWrite times.

21 Applications - 64 bit systems
\WOW6432Node key Used for Registry redirection of calls from 32-bit applications on 64-bit systems.

22 Applications - More Keys
Check the same subkeys in HKEY_CURRENT_USER. Exact same path just change root hive to HKCU\Software instead of HKLM\Software. Contains information about applications specifically installed by and available to a particular user. Classes This is where we loaded the extension information from in H_KEY_CLASSES_ROOT Use the assoc.pl RegRipper plugin.

23 Network Lists Windows maintains information regarding network connections, including wireless access points to which the system has connected. Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures Managed: Connections managed by a domain controller Unmanaged: Connections not managed by a domain controller.

24 Network Lists In each are many subkeys with names composed of a long series of letters and numbers “Description” and “FirstNetwork” values refer to the service set identifier (SSID) of a WAP. “DefaultGatewayMac” is the WAP’s MAC address. Can be used for WiFi geolocation - WiGLE.net. “ProfileGuid” value maps to the appropriate profile in the NetworkList\Profiles key.

25 Network Lists Sample values from \Unmanaged subkey.

26 Network Lists Sample NetworkList key profile values for the previous ProfileGuid:

27 Network Lists “ProfileName” and “Description” values match “Description” and “FirstNetwork” respectively. “NameType” is the type of connection: 0x47: wireless network 0x06: wired network 0x17: Broadband (e.g. 3G) DateCreated and DateLastConnected are 128-bit SYSTEMTIME structs Recall: Microsoft says that these can be either local time or UTC depending on the function that was called to set them.

28 Network Interface Cards (NICs)
\Microsoft\Windows NT\CurrentVersion\NetworkCards Will have two subkeys with numeric names.

29 NICs “ServiceName”: GUID for the NIC
“Description”: String returned when running ipconfig/all For network settings and other information about this interface go to HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces and locate the subkey matching the ServiceName value. DHCP enabled? DHCP server Default gateway Good for crossreferencing with packet captures and firewall/webserver/network device logs.

30 Scheduled Tasks \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCac he Recall the XML files are located <System Volume>\Windows\System32\Tasks Most human readable information in this key is found in the Tree subkey

31 Scheduled Tasks Most default tasks located in Tree\Microsoft\Windows subkey. For each scheduled task “ID” value containing a GUID. “Index” value. How to read: Use GUID to navigate to TaskCache\Tasks key and locate subkey with the ID GUID in the name. Path: path to the task file Hash: SHA-256 hash of the XML task file. Was CRC-32 before Stuxnet successfully collided the hash of an altered task file: (audio contains mature language).

32 Scheduled Tasks

33 HKEY_USERS (HKU) Lists several user profiles
S : The system profile located at <System Volume> \ Windows \ system32 \ config \ systemprofile. S : Related to the LocalService located at <System Volume> \ Windows \ ServiceProfiles \ LocalService S : Related to the NetworkService located under <System Volume> \ Windows \ ServiceProfiles \ NetworkService

34 HKEY_USERS (HKU) Lists several user profiles
S : Currently signed in user with full SID. In this example their user directory is <System Volume> \ Users \ Forensics2 Only the currently signed in user will appear here. On live system can find more details about all users in: HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ ProfileList

35 HKU Listed profiles ctd:
Default User: The default user for any new user. Located at <System Volume> \ Users \ Default. This profile is copied to initialize the profile of newly created users.

36 HKEY_CURRENT_USER Pointer to the current user under HKU

37 WordWheelQuery Searches run by the user
\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQu ery Values stored in Unicode format, maintained in an MRU list.

38 WordWheelQuery Search terms stored as binary values with the actual terms listed in Unicode. F D > “program” When viewing properties in WRR, see LastWrite time of “3/13/ :34:03PM” in UTC. Know most recent search is item 1 because the first 4 bytes in MRUListEX is “ ”. So the user searched “program” at the above date and time. RegRipper woordwheelquery.pl plugin assists with this analysis.

39 WordWheelQuery

40 Shellbags Set of registry keys and values that remember the size and location for folders and libraries. Multiple Locations: HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\

41 Shellbags Information held in two main keys, BagMRU and Bags.
BagMRU key stores folder names and records folder paths by recreating a tree structure. BagMRU itself represents the desktop. BagMRU\# represent the folders ShellBag information created for in order of use.

42 Shellbags Note the MRULIstEx values is “0,3,2,1” meaning the order of most recent accessed folders on Desktop is “Desktop\Test-0”, “Desktop\Test-2”, and “Desktop\Test-1”. In depth analysis: room/whitepapers/forensics/wi ndows-shellbag-forensics-in- depth-34545

43 Shellbags Bags key stores the view preferences such as window size, location, and view mode. The registry subkeys here are correlated with the NodeSlot value in a BagMRU key. Tools: Not many good FOSS options. hin/shellbags

44 MenuOrder \Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder Subkeys: “Start Menu2” and “Favorites” Stores information when a user rearranges the contents of their start menu and or their favorites menu or favorites center in IE. Use menuorder.pl plugin for RegRipper.

45 MUICache HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\ Values not beginning with are programs that have run on the system. Not guaranteed to be exhaustive. No timestamp information. But can associate running of a program with a user.

46 MUICache

47 UserAssist Key used to track user activities which occur via Windows Explorer. Double-click icons Launch programs via Start menu Date & time & number of times done so. Value names “encrypted” with ROT-13. Many keys in many places. Use RegRipper userassist.pl plugin. Use RegRipper userassist.tln.pl plugin to output information in timeline friendly format

48 Typed Paths Populated when the user types a path into the Windows (not Internet) Explorer Address Bar. Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths First value is “url1”. Subsequent writes “push down” the values such that the newest value is always “url1” TypedPath LastWrite time correlates to “url1”.

49 HKEY_CURRENT_CONFIG (HKCC)
Pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\ registry key.

50 References forensics.sans.org/media/Poster_Windows_Forensics_2017_WEB.pdf We have one in the SAIT lab! Tools:

51 Questions?

Download ppt "Registry Root Hives."

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Windows XP Basics OVERVIEW Next.

Windows XP Basics OVERVIEW Next.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Chapter 1 Introducing Windows Operating Systems

Chapter 1 Introducing Windows Operating Systems
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
The Windows Registry Adapted from

The Windows Registry Adapted from
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Guide to MCSE 70-270, Second Edition, Enhanced 1 Objectives Understand and use the Control Panel applets Describe the versatility of the Microsoft Management.

Guide to MCSE , Second Edition, Enhanced 1 Objectives Understand and use the Control Panel applets Describe the versatility of the Microsoft Management.

Similar presentations

Ads by Google