Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Registry: Introduction

Published byKarin Hunter Modified over 5 years ago

Similar presentations

Presentation on theme: "Windows Registry: Introduction"— Presentation transcript:

1 Windows Registry: Introduction
Moshe Caplan January 2013 Windows Registry: Introduction

2 Analyzing the Registry
Part 1: Understanding the Registry Discussed here Part 2: Obtaining the Registry Hives Discussed in Extracting the Hives Module Part 3: Analyzing the Registry Discussed in Registry Forensic Analysis Module

3 What is the Registry? (1) Windows Definition Translation on next slide
A central hierarchical database used in Microsoft Windows 98, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users, applications and hardware devices.  The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used. Definition taken from:

4 What is the Registry (2) Database where Windows stores (almost) EVERYTHING Operating System Settings Hardware Configurations User Preferences Application Settings

5 Examples of Registry Values
Computer Name Recently Accessed: Last Shutdown Time Programs Startup Drivers / Programs Web Pages User Account Names Files Application Settings Previously Connected: IE Start Page Wireless Networks Skype Username USB Drives

6 Registry Structure Components Hierarchical Structure
Hives (discussed at the end) Root Keys Keys Sub-keys Values Hierarchical Structure Similar to directory / file structure Root Keys contain Keys and Sub-keys Keys and Sub-Keys contain Sub-Keys and Values

7 Accessing the Registry
Registry Editor Pre-installed on Windows Means of Access From a Command Line -> regedit For more information on accessing the Registry and using Registry Editor see:

8 Registry Editor

9 Root Keys The contents of the registry are distributed under five root keys, based on the data they contain HKEY_CLASSES_ROOT (HKCR) Application and file associations HKEY_CURRENT_USER (HKCU) Currently logged-in user’s profile HKEY_LOCAL_MACHINE (HKLM) Computer specific hardware and software configurations HKEY_USERS (HKU) All actively loaded user profiles HKEY_CURRENT_CONFIG (HKCC) Current hardware configurations

10 Notes about Keys and Values
HKEY_LOCAL_MACHINE and HKEY_USERS are actually the only two root keys The other three root keys are sub-keys within them Keys can have both sub-keys and values Registry values are actually composed of names, types, and data The different types can hold string, binary, or integer data For more info on registry value types see:

11 Registry Key Paths Similar to a file path Example
HKEY_USERS\.DEFAULT\Control Panel\International\Geo HKEY_USERS is a root key All the other values are sub-keys of that key This key specifies your computer’s location Within this key is a value named “Nation” (see next slide) On my computer the data value it holds is 244 244 refers to United States For a list of location codes used for this key see:

12 HKEY_USERS\.DEFAULT\Control Panel\International\Geo

13 Registry Hives (1) Hives are the files that store the contents of the registry Each hive contains a group of keys and values No direct correlation from hives to root keys To find the storage locations of the registry hives look in the registry  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist Most are stored in Windows\system32\config

14 Registry Hives (2) The standard hives according to Microsoft (these may differ slightly from what you see) HKEY_CURRENT_CONFIG HKEY_CURRENT_USER HKEY_LOCAL_MACHINE\SAM HKEY_LOCAL_MACHINE\Security HKEY_LOCAL_MACHINE\Software HKEY_LOCAL_MACHINE\System HKEY_USERS\.DEFAULT For more information see:

15 Registry Hives (3)

16 Searching & Modifying Values
Registry Editor Searching Edit -> Find (or Find Next) Can search for Keys, Value Names, and Data Strings Modifying the Registry A wrong modification can cause MAJOR problems If you are going to modify the registry Make sure to back it up first Only modify one entry at a time See:

17 Final Notes The examples were taken from Windows 7
Other recent Windows versions are similar See the sample challenges section for some interesting registry entries to find For more information on the Registry see: Links on the preceding slides References slide Module Resources

18 References Microsoft Links Other Registry Tutorials
MSDN: Support: TechNet: Other Registry Tutorials Forensics Analysis of the Registry

Download ppt "Windows Registry: Introduction"

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
Web Application Server Apache Tomcat Downloading and Deployment Guide.

Web Application Server Apache Tomcat Downloading and Deployment Guide.
1 Module 7 Configuring the Windows NT Environment.

1 Module 7 Configuring the Windows NT Environment.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Investigating.

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
The Windows Registry Adapted from

The Windows Registry Adapted from
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Similar presentations

Ads by Google