Windows Registry
Folder/predefined key
HKEY_CURRENT_USER
HKEY_CURRENT_USERContains the root of the configuration information for the user who is currently logged on.
The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile.
This key is sometimes abbreviated as
HKCU.
HKEY_USERS
HKEY_USERSContains all the actively loaded user profiles on the computer.
HKEY_CURRENT_USERis a subkey ofHKEY_USERS.HKEY_USERSis sometimes abbreviated asHKU.
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINEContains configuration information particular to the computer (for any user). This key is sometimes abbreviated as
HKLM.
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOTIs a subkey of
HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer.This key is sometimes abbreviated as
HKCR.Starting with Windows 2000, this information is stored under both the
HKEY_LOCAL_MACHINEandHKEY_CURRENT_USERkeys. TheHKEY_LOCAL_MACHINE\Software\Classeskey contains default settings that can apply to all users on the local computer.The
HKEY_CURRENT_USER\Software\Classeskey has settings that override the default settings and apply only to the interactive user.The
HKEY_CLASSES_ROOTkey provides a view of the registry that merges the information from these two sources.HKEY_CLASSES_ROOTalso provides this merged view for programs that are designed for earlier versions of Windows.To change the settings for the interactive user, changes must be made under
HKEY_CURRENT_USER\Software\Classesinstead of under HKEY_CLASSES_ROOT.To change the default settings, changes must be made under
HKEY_LOCAL_MACHINE\Software\Classes.If you write keys to a key underHKEY_CLASSES_ROOT, the system stores the information underHKEY_LOCAL_MACHINE\Software\Classes.If you write values to a key under
HKEY_CLASSES_ROOT, and the key already exists underHKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of underHKEY_LOCAL_MACHINE\Software\Classes.
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIGContains information about the hardware profile that is used by the local computer at system startup.
Accessing registry hives offline
If you are accessing a live system, you will be able to access the registry using
regedit.exe, and you will be greeted with all of the standard root keys we learned about in the previous task.However, if you only have access to a disk image, you must know where the registry hives are located on the disk. The majority of these hives are located in the
C:\Windows\System32\Configdirectory and are:DEFAULT(mounted onHKEY_USERS\DEFAULT)SAM(mounted onHKEY_LOCAL_MACHINE\SAM)SECURITY(mounted onHKEY_LOCAL_MACHINE\Security)SOFTWARE(mounted onHKEY_LOCAL_MACHINE\Software)SYSTEM(mounted onHKEY_LOCAL_MACHINE\System)Hives containing user information:
Apart from these hives, two other hives containing user information can be found in the User profile directory. For Windows 7 and above, a user’s profile directory is located in
C:\Users\<username>\where the hives are:NTUSER.DAT(mounted onHKEY_CURRENT_USERwhen a user logs in)USRCLASS.DAT(mounted onHKEY_CURRENT_USER\Software\CLASSES)The
USRCLASS.DAThive is located in the directoryC:\Users\<username>\AppData\Local\Microsoft\Windows.The
NTUSER.DAThive is located in the directoryC:\Users\<username>\.Remember that NTUSER.DAT and USRCLASS.DAT are hidden files.
The Amcache Hive:
Apart from these files, there is another very important hive called the
AmCachehive.This hive is located in
C:\Windows\AppCompat\Programs\Amcache.hve. Windows creates this hive to save information on programs that were recently run on the system.
Great Keys to Enumerate
Capture the output from these commands and save off. Will tell you alot about the system + give you further places to dig
Last updated