Presentation is loading. Please wait.

Presentation is loading. Please wait.

Registry Structure What is it? What does it contain?

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Registry Structure What is it? What does it contain?"— Presentation transcript:

1 Registry Structure What is it? What does it contain?

2 Objectives Logical and physical structure of the Registry Format of Registry files Examination of the Registry Forensically important keys Analyzing Registry information

3 The Registry Hierarchal database Maintains configuration settings –Applications –Hardware –Devices –Users

4 Registry Access regedit.exe – A “GUI” interface to the Registry Native to XP and Vista NT and 2000 has regedit.exe but with limited capabilities

5 Physical Structure Binary files Stored in RAM and hard drive Limited data types

6 Logical Structure Highest Level My Computer Contains Five Root Hives Each Hive consists of Hives and Keys Each key has a set of triples Subkey list Last access time

7 Key Structure

8

9 Registry Data Types Series of nested arrays designed to store a list of resources A list of resources used by a physical HW device A list of HW resources used by a device driver

10 Hives - Physical A Hive is a logical file from multiple files on disk and RAM The Registry is the collection of these hives Each hive contains a registry tree Each hive has a key that serves as the root or starting point of the tree The integration of all these hives into the root hives consists of the registry

11 Five Root Hives

12 Root Hives HKEY_USERS Contains all the actively loaded user profiles for the system HKEY_CURRENT_USER Is the active, loaded user profile currently logged on HKEY_LOCAL_MACHINE Contains configuration information for the system bot HW and SW

13 Root Hives (cont’d) HKEY_CURRENT_CONFIG Contains the hardware profile the system uses at startup HKEY_CLASSES_ROOT Contains configuration information for which apps open which files

14 Registry-to-File Correspondence Hive Registry PathHive File Path HKEY_LOCAL_MACHINE\SYSTEM\Windows\System32\Config\System HKEY_LOCAL_MACHINE\SAM\Windows\System32\Config\Sam HKEY_LOCAL_MACHINE\SECURITY\Windows\System32\Config\Security HKEY_LOCAL_MACHINE\SOFTWARE\Windows\System32\Config\Software HKEY_LOCAL_MACHINE\HARDWAREVolatile hive HKEY_LOCAL_MACHINE\SYSTEM\CloneVolatile hive (Win 2K only) HKEY_USERS\ \Documents and settings\ \Ntuser.dat HKEY_USERS\ _Classes\Documents and Settings\ \Local Settings\Application Data\Microsoft\Windows\Usrclass.dat HKEY_USERS\.DEFAULT\Windows\System32\Config\Default

15 Hive File Locations

16

17 Restore Points

18 HKEY_USERS User Profiles

19 HKEY_CURRENT_USER Logged on user profile

20 Current User One of those listed in HKEY_USERS

21 HKEY_LOCAL_MACHINE HW and SW Configs

22

23 HKEY_CURRENT_CONFIG Startup Profile

24 HKEY_CLASSES_ROOT Application to File Mapping This hive is subclassed to HKCU\Software\Classes HKLM \Software\Classes

25 Registry Cell Types Key cell Key info, offsets to subkeys and LastWrite time Value cell Holds a value/name and its data Subkey list cell Series of subkey offsets Value list cell Series of offsets to value cells

26 Registry Structure Keys Subkeys Values Type Data

27 Raw Registry File Key Cell Value Cell

Download ppt "Registry Structure What is it? What does it contain?"

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
The Windows Registry Adapted from

The Windows Registry Adapted from
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
A+ Guide to Managing and Maintaining Your PC, 7e Chapter 14 Optimizing Windows.

A+ Guide to Managing and Maintaining Your PC, 7e Chapter 14 Optimizing Windows.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.

Chapter 11 Basic Windows and Windows Commands. Overview of what an Operating System does To identify and use common desktop and home screen icons To manipulate.
Windows 9x Graphical Interface on DOS. Goals for Today Install Windows 98SE Install/Load Device Drivers Explore options, tools, configuration Network.

Windows 9x Graphical Interface on DOS. Goals for Today Install Windows 98SE Install/Load Device Drivers Explore options, tools, configuration Network.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
A+ Guide to Managing and Maintaining Your PC, 7e

A+ Guide to Managing and Maintaining Your PC, 7e
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Similar presentations

Ads by Google