Windows Registry
Windows Registry
Registry Terminology
The registry is created when windows boots using data from several files Each file stores one or more hives Each hive is made up of keys and subkeys Each key has one or more values and value data
Windows Registry
Hives are a logical group of keys, subkeys and values
HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS
1) 2) 3) 4)
5)
HKEY_CURRENT_CONFIG
It also manages the connections to the network and to devices like digital cameras or printers.
HKEY_CURRENT_CONFIG (HKCC)- Contains information about the systems current hardware setup, in the same way that HKEY_CURRENT_USER contains information about whoevers logged into the system at the moment. It has details like the type of hard disk installed in your PC.
Windows Registry
Supporting files
System, System.alt, System.log, System.sav Ntuser.dat, Ntuser.dat.log Sam, Sam.log, Sam.sav Security, Security.log, Security.sav Software, Software.log, Software.sav System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT
.log A transaction log of changes to the keys and value entries in the hive.
.sav
Copies of the hive files as they looked at the end of the text-mode stage in Setup.
Windows Registry
String
Binary DWORD Multi-String Expandable String
You can start regedit by going to the Start button, Choosing Run and then entering regedit
From the Edit menu, you can create new keys, subkeys, values and data. You can also: Modify the permissions to registry elements Search for keys, subkeys, values and data
From the File menu, you can import one or many registry keys, subkeys, values and data. You can also: Export registry data for backup or copying to another computer Load a Hive file from another computer or user that is not logged in.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow First double click on keys in the HKEY_LOCAL_MACHINE hive until you get to the Microsoft key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\New Windows\Allow Then create keys for Internet Explorer, New Windows and Allow
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\Console\RDP-Tcp\PortNumber
Since this key already exists, make a backup of the current values using the File | Export menu. Enter a name for the backup like RDP-orig
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile\GloballyOpenPorts]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Domai nProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile\GloballyOpenPorts] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standa rdProfile\GloballyOpenPorts\List] "21264:TCP"="21264:TCP:152.1.7.0/255.255.255.0:Enabled:Trend Micro OfficeScan Listener
If the keys or values with the same names already exist, they are replaced with the information in the .reg file.
If the keys already exist, the values in the .reg file are merged with those in the registry
[-HKEY_LOCAL_MACHINE\Software\Test]
HKEY_LOCAL_MACHINE\Software\Test "TestValue"=If a key in a .reg file is preceeded by a minus sign, the key, its' sub-keys, and Value Names are deleted If a ValueName=- line is presetn in a .reg file, the Value Name is deleted To rename a key or value using a .reg file, first delete the item and then add the data with a new name
To rename a key or value using regedit, select the item, right click and choose rename
To avoid the Are you sure? prompt when importing, use the /s option in your script: regedit /s test.reg Export the registry with this command: regedit /e full.reg would export the full registry to the full.reg file. To export individual registry keys: regedit /e software.reg "HKEY_LOCAL_MACHINE\Software"
The search will start from the highlighted position and go downward in the registry window You may need to select My Computer to search through all hives
There are also third party utilities to do this such as Registry Toolkit from https://www.funduc.com Registry Search + Replace (also from funduc.com) Beware that there are lots Registry Cleaner type programs that are trojans
Registry Permissions
Like files and directories, Registry keys have security permissions to control who can view, alter and delete registry data
You can view/change the permissions for a key by selecting the key and using the Edit | Permissions menu
Registry Permissions
The general permissions are Read, Full Control and Special Permissions These Special Permissions can be configured using the advanced button: Permission QV Query Value SV Set Value CS Create Subkey ES Enumerate Subkeys NT Notify DE Delete WD Write DAC CL Create Link WO Write Owner RC Read Control Definition
allows assigned user or group to read the settings of a value entry located in the Registry
allows assigned user or group to set the value of a value entry located in the subkey allows assigned user or group to create a subkey located in this selected subkey. allows assigned user or group to identify all the subkeys in the selected subkey. allows assigned user or group to receive audit notifications from this subkey. allows assigned user or group the right to delete the subkey. allows assigned user or group the right to read the discretionary access control list for the selected subkey. allows assigned user or group to create a symbolic link to this subkey. allows assigned user or group the right to take ownership of the subkey. allows assigned user or group the right to read the access control list
When a key is created, it inherits its permissions from its parent key As with file and directories, it is possible set the permissions of a key different from its parent key and to break the inheritance of permissions if needed. Values do not have permissions only keys and subkeys have permissions
Registry Permissions
Since password hashes and other security data is stored in the SAM hive, keys in the SAM hive have special permissions You must run regedit as the SYSTEM user to view the SAM hive: Start a SYSTEM shell with: at 22:08 /interactive c:\windows\regedit.exe Where 22:08 is a time a minute or more in the future and Windows is installed at c:\windows At the time specified in the command, regedit will run and you will be able to see the SAM information on the computer
Registry Permissions
Notice the Administrator has no access, only the SYSTEM user is supposed to read SAM information
Enter the name of the time server in the following key: HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProvider\NtpClient\NtpServer = hostname, 0x1
Registry Forensics
The registry stores all kinds of information about how Windows is being used and what a user is doing when logged in. The registry stores:
List of terms entered into the Windows File Search tool History of command entered in the Start | Run menu choice History of mapped drives History of mounted USB devices (cameras, flash drives, printers) Recent file lists for Microsoft Word, Excel, Powerpoint, Access, and Wordpad URLs typed into Internet Explorer, Windows Media Player and Firefox Internet Explorer saved passwords and URL pairs List of wireless network used Other information listed at: http://windowsxp.mvps.org/RegistryMRU.htm The registry also stores a list of all applications run on the computer and a count of how many times each was launched. This includes applications run by double-clicking on a document, shortcut or Control Panel Applet. Along with the cound mentioned above, the registry stores the last time the application was run. Using this information, it is possible to see what program was launched, when it was launched and how many times it was launched. For a list of registry keys and how to read them, see: http://www.forensicswiki.org/wiki/Windows_Registry
There are also backups of the registry in Windows restore points located in the \System Volume Information Folder
Registry backups have the word _REGISTRY_ in the file name These hive files can be loaded into regedit
After selecting Load Hive browse to the hive file and open it
When prompted for a Key Name, enter something to describe the hive
The hive will show up in regedit under the HKEY_LOCAL_MACHINE hive If you make changes to the loaded hive and want to save them: Select the Key Name of the loaded hive (default-user in the example above)
One way is to copy the files (SAM, Security, Software, System and Default) from the \Windows\system32\config directory These cannot be copied when Windows is running, but can be copied from Recovery Console
A second way to make a registry backup is to manually create a Windows restore point
To create a restore point in Windows XP: 1. 2. 3. 4. Click Start, click Run, type %SystemRoot%\system32\restore\rstrui.exe, and then click OK. On the Welcome to System Restore page, click Create a restore point, and then click Next . On the Create a Restore Point page, type a name for the restore point and then click Create After the restore point has been created, click Close.
1.
On the Select a Restore Point page, click the system checkpoint. In the On this list select the restore point area, click an entry that is named "Guided Help (Registry Backup)," and then click Next. If a System Restore message appears that lists configuration changes that System Restore will make, click OK.
On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration and then restarts the computer. Log on to the computer. When the System Restore confirmation page appears, click OK.
3.
4. 5.
Note If System Restore is turned off, click to select the local disk, click Apply and then click Create.
2.
If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
In the System Properties dialog box, on the System Protection tab, click System Restore, In the System Restore dialog box select Choose a different restore point, and then click Next Select the restore point that you want to use, and then click Next. Confirm your restore point, and then click Finish System restore restores the selected Windows Vista configuration and then restarts the computer.
3. 4. 5. 6.
7.
Log on to the computer. When the System Restore confirmation page appears, click OK.
Note: There is a copy of the registry from the last System state backup in \Windows\Repair