Location of forensic evidence in the registry

I got tired of always searching online for the location of something in the windows registry, especially when it came to forensic analysis. Hopefully this compilation will help others to find things of interest inside the windows registry. My plan is to update this article as I find more interesting locations within the windows registry.

=====================================================================

Last logged on user

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

DefaultUserName

Searches within the windows OS

HKCU\Software\Microsoft\Search Assistant\ACMru

5001: Contains list of terms used for the internet search assistant

5603: Contains the list of terms used for the Windows XP files and folders search

5604: Contains list of terms used in the “word or phrase in a file” search

5647: Contains list of terms used in the “for computers or people” search

Applications launched from the “Start > Run” menu

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Recent documents

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Installed applications that reside in “Control Panel > Add/Remove programs”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Mounted devices

HKLM \SYSTEM\MountedDevices
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\

USB devices that have been attached

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Applications that are ran during startup

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnce

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServices

HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServicesOnce

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

List of windows services

HKLM\SYSTEM\CurrentControlSet\Services\

Recent network settings, where GUID refers to the network interface

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\GUID

Wireless network information

HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\GUID

Mapped network drives

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Typed URL’s into the browser

HKU\UID\Software\Microsoft\Internet Explorer\TypedURLs

Last time the computer was shut down (64bit value representing time)

HKLM\SYSTEM\CurrentControlSet\Control\Windows

Determine if last access times is enabled (0) or disabled (1)

HKLM\System\CurrentControlSet\Control\FileSystem\

NtfsDisableLastAccessUpdate

Computer name

HKLM\System\CurrentControlSet\Control\ComputerName

Determine if autoplay is disabled / enabled, link with more info below

http://support.microsoft.com/kb/967715

HKU\UID\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

List of files open or saved via windows explorer

HKU\UID\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

List of drives mapped via the map network drive wizard

HKU\UID\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Devices or IP’s connected to

HKU\UID\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions

Mounted drives

HKU\UID\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

List of files played in Windows Media Player

HKU\UID\Software\Microsoft\MediaPlayer\Player\RecentFileList

HKU\UID\Software\Microsoft\MediaPlayer\Player\RecentURLList

List of recently accessed WinZip files

HKU\UID\Software\Nico Mak Computing\WinZip\filemenu

List of Microsoft Office files that have been accessed

HKU\UID\Software\Microsoft\Office\"version"\"product"\File Name MRU

Browser helper objects (BHO’s), can be associated with malware but it’s been a while since I’ve seen this.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

Entries in this location are automatically started when explorer.exe is ran

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

Can point to logon scripts

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\

DLL’s in this location are loaded when a GUI app is launched

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Programs to be run when user logs in

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

4 Responses to “Location of forensic evidence in the registry”

  1. Iain Says:

    Thanks for this mate, really helped with my report 🙂

  2. JD Says:

    Thx, really helpful!

  3. Jake Says:

    Very nice list, thank you

  4. TheFruiter Says:

    Hi! I’m searching for the artifacts/ registry records created/ being updated when burning a DVD disc with a third party application. Could you help? Do you know any of these artifacts/ records? I’m running Windows Vista. Thanks in advance!

    P.S. Artifacts/ records affected by inserting a blank disc into a drive or opening/ closing the drive lid would also be very useful.

Leave a Reply