Location of forensic evidence in the registry

I got tired of always searching online for the location of something in the windows registry, especially when it came to forensic analysis. Hopefully this compilation will help others to find things of interest inside the windows registry. My plan is to update this article as I find more interesting locations within the windows registry.


Last logged on user

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon


Searches within the windows OS

HKCU\Software\Microsoft\Search Assistant\ACMru

5001: Contains list of terms used for the internet search assistant

5603: Contains the list of terms used for the Windows XP files and folders search

5604: Contains list of terms used in the “word or phrase in a file” search

5647: Contains list of terms used in the “for computers or people” search

Applications launched from the “Start > Run” menu


Recent documents


Installed applications that reside in “Control Panel > Add/Remove programs”


Mounted devices

HKLM \SYSTEM\MountedDevices

USB devices that have been attached


Applications that are ran during startup

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnce

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServices

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServicesOnce

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

List of windows services


Recent network settings, where GUID refers to the network interface


Wireless network information


Mapped network drives

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Typed URL’s into the browser

HKU\UID\Software\Microsoft\Internet Explorer\TypedURLs

Last time the computer was shut down (64bit value representing time)


Determine if last access times is enabled (0) or disabled (1)



Computer name


Determine if autoplay is disabled / enabled, link with more info below



List of files open or saved via windows explorer


List of drives mapped via the map network drive wizard

HKU\UID\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Devices or IP’s connected to


Mounted drives


List of files played in Windows Media Player



List of recently accessed WinZip files

HKU\UID\Software\Nico Mak Computing\WinZip\filemenu

List of Microsoft Office files that have been accessed

HKU\UID\Software\Microsoft\Office"version""product"\File Name MRU

Browser helper objects (BHO’s), can be associated with malware but it’s been a while since I’ve seen this.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

Entries in this location are automatically started when explorer.exe is ran


Can point to logon scripts


DLL’s in this location are loaded when a GUI app is launched

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Programs to be run when user logs in

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

4 Responses to “Location of forensic evidence in the registry”

  1. Iain Says:

    Thanks for this mate, really helped with my report 🙂

  2. JD Says:

    Thx, really helpful!

  3. Jake Says:

    Very nice list, thank you

  4. TheFruiter Says:

    Hi! I’m searching for the artifacts/ registry records created/ being updated when burning a DVD disc with a third party application. Could you help? Do you know any of these artifacts/ records? I’m running Windows Vista. Thanks in advance!

    P.S. Artifacts/ records affected by inserting a blank disc into a drive or opening/ closing the drive lid would also be very useful.

Leave a Reply