Registry

Purpose and Function

The Windows Registry is a hierarchical, central database that serves as the core configuration repository for the Windows operating system and many of the applications installed on it. It stores a vast array of low-level settings, hardware configurations, user preferences, software installation details, and system policies. Both Windows itself and third-party software rely heavily on the Registry to store and retrieve the information necessary for their proper functioning.

From a DFIR perspective, the Registry is one of the richest sources of forensic information on a Windows system. Its critical role in system operation makes it a primary target for both malware (for persistence and evasion) and forensic analysts (for evidence recovery).

Location and Structure

The Registry is not a single file but is composed of a set of files called hives. These hives are loaded into memory when the system boots and are mapped to the familiar hierarchical structure seen in tools like regedit.exe.

Key hive files and their locations include:

  • SYSTEM: C:\Windows\System32\config\SYSTEM (Contains system-wide hardware and service configurations)

  • SOFTWARE: C:\Windows\System32\config\SOFTWARE (Contains system-wide software settings)

  • SAM: C:\Windows\System32\config\SAM (Stores local user account and security information)

  • SECURITY: C:\Windows\System32\config\SECURITY (Stores system-wide security policies)

  • NTUSER.DAT: C:\Users\%username%\NTUSER.DAT (Contains settings specific to the user profile)

  • UsrClass.dat: C:\Users\%username%\AppData\Local\Microsoft\Windows\UsrClass.dat (Contains user-specific COM registration and other shell settings)

The Registry is organized into a tree-like structure of Keys (like folders) and Values (like files), which store the actual configuration data.

Forensic Value in Configuration and Persistence

While the Registry contains countless artifacts (many of which, like UserAssist and Shellbags, are covered in other chapters), its primary value in this context lies in revealing system configuration and common persistence mechanisms.

  • Software Installation Evidence: The Registry contains extensive records of installed software under keys like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. These entries can prove that an application (like a known cheat installer) was installed on the system, often retaining information even after uninstallation.

  • System and Security Configuration: Keys within the SYSTEM and SECURITY hives reveal critical system settings. Analysts can check for disabled security features (like UAC or Windows Defender), modified service configurations, or policies designed to hinder investigation (e.g., preventing access to cmd.exe or regedit.exe).

  • Persistence via Run and RunOnce Keys: These are the most classic and common persistence mechanisms on Windows. Programs listed as values within these registry keys are automatically executed at system startup or user logon. Malware and cheat loaders are frequently placed here to ensure they run automatically. Key locations include:

    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Other Persistence Mechanisms: The Registry hosts numerous other persistence techniques, including AppInit_DLLs, COM hijacking (modifying CLSID keys), and creating malicious service entries under HKLM\SYSTEM\CurrentControlSet\Services.

  • Evidence of Tampering: The "LastWrite" time of a registry key is a crucial timestamp that indicates when a key or any of its values were last modified. A recent LastWrite time on a key known for persistence or on a key that should be static is a strong indicator of recent malicious activity. Forensic registry parsers can also often identify and recover deleted keys and values, revealing attempts to clear these persistence entries.

Reflection points (SS Contest)

For a ScreenSharer, the Registry is a primary target for finding cheats that are designed to be "sticky" and for uncovering system modifications made to support cheating.

  • Hunting for Auto-Start Cheats: The Run keys are a check in any thorough screenshare. Finding the path to a cheat loader or an unknown executable in one of these keys is definitive proof of a persistence attempt.

  • Discovering System Manipulation: A player might disable security features via the Registry to allow their cheats to run unimpeded. An SSer can check specific policy keys to find evidence of this tampering (e.g., DisableCMD to block the command prompt, or keys to weaken Windows Defender).

  • The "LastWrite" Timestamp: This is a simple but powerful piece of evidence. If you find a suspicious entry in a Run key, checking the LastWrite time of the Run key itself can tell you when that entry was added, potentially linking it directly to the current gameplay session.

  • Recovering Deleted Persistence: Using a tool like Registry Explorer that can show deleted keys is vital. A player might run a cheat that adds itself to a Run key and then deletes the entry before the SS. A forensic parser can often recover this deleted entry, providing conclusive evidence of both execution and an attempt to cover tracks.

PreviousSystem Configuration and PersistenceNextTask Scheduler Artifact

Last updated