What is the registry?

The Registry is a collection of database files that store vital configuration data for a system. The Registry data can be modified and/or deleted by a user.

Components of the Registry

• The Registry contains a group of hives. A hive is a database file that contains specific configuration information.
• A hive consists of keys and values. Keys are similar to folders in a filesystem.
• Keys can contain additional keys, called sub-keys. This is similar to sub-folders.
• Value cells are similar to files in a filesystem. They hold data stored in a key.

An example of a Registry path is NTUSER(Hive)\Software(Key)\Microsoft(subkey)\Run(subkey with the value)

Offline Hives

The Registry has offline files that live on disk. You can find these registry files (besides NTUSER and Usrclass.dat) at C:\Windows\System32\Config.

• SAM hive has local account information including users and groups.
• SECURITY hive has audit policies, cached credentials, and security identifiers.
• SYSTEM hive has data for hardware devices, network configurations, and system services.
• SOFTWARE hive has data for installed applications.
• DEFAULT hive is usually irrelevant for examiners.
• NTUSER.DAT hive has user-related data.
• Usrclass.dat hive is where Shellbags and the muicache is.

Map online to offline hives

A live system also has hives. The keys below are pointers to the actual registry on disk. The below provides a mapping from the live keys to the offline hives.

• HKEY_LOCAL_MACHINE (HKLM) key maps to SAM, SECURITY, SOFTWARE and SYSTEM hives.
• HKEY_CURRENT_USERS (HKCU) key maps to NTUSER and Usrclass.dat.
• HKEY_CLASSES_ROOT key is in memory with a combo of HKLM and HKCU settings
• HKEY_USERS key provides config data for all logged in users.