Accessing the Registry

Several tools allow viewing and interacting with the Registry:

  • Regedit (regedit.exe):

    • The built-in Windows graphical Registry Editor.

    • Accessed via Win+R -> regedit. Usually requires administrator privileges for full access.

    • Presents the Registry in a familiar tree structure (Hives > Keys > Subkeys). Values are displayed in the right pane.

    • Forensic Significance: Direct execution of regedit.exe logged in Prefetch/BAM strongly implies manual user interaction. Check the "LastWriteTime" on keys in Regedit (View > Display Key Last Write Time) to see when they were last modified. Regedit also remembers the last key accessed before closing, which can occasionally provide clues.

  • Reg.exe:

    • The command-line utility for Registry operations (reg query, reg add, reg delete, reg compare, etc.).

    • Forensic Significance: Execution logged in Prefetch/BAM or command history indicates scripted or manual command-line manipulation, often used for bypasses like clearing BAM entries or disabling security features.

  • Third-Party Tools (Registry Explorer, etc.):

    • Registry Explorer (Eric Zimmerman): A powerful, free, GUI-based forensic tool specifically designed for Registry analysis. It can parse live Registry hives or offline hive files (e.g., extracted from C:\Windows\System32\config or VSS).

    • Key Features for Screensharing:

      • Deleted Key/Value Indication: Often visually highlights (e.g., with a specific icon like a red circled warning) the presence of deleted keys or values within a loaded hive's structure. Finding recently deleted entries in forensically relevant hives like BAM or UserAssist during the current boot session is highly suspicious evidence of cleanup attempts.

      • Robust Search (CTRL+F): Allows searching across keys, value names, value data, and even slack space for specific strings, keywords, dates (in UTC), or data sizes.

      • Deleted Value Recovery: Can often recover and display the data of deleted keys/values (usually highlighted, often in red text).

      • Bookmarks: Includes predefined bookmarks pointing to common forensically significant locations (UserAssist, BAM, Run Keys, USBStor, etc.).

      • Timestamp Display: Clearly displays the "Last Write Time" for each key, indicating the last time any value or subkey within it was modified. Displays timestamps in UTC by default.

    • Usage Note: It's often recommended to launch Registry Explorer and load the necessary hives (NTUSER.DAT for user activity, SYSTEM/SOFTWARE for system config) early in the screenshare. It takes a snapshot at the time of loading and doesn't update live, preserving the state at that moment against further changes by the user or system. Requires administrator privileges.

    • Other Tools: RegScanner (Nirsoft) offers alternative search capabilities.

PreviousUnderstanding the Windows RegistryNextForensically Relevant Registry Keys/Locations

Last updated