Hooper Labs

Windows Registry

HKLM (HKEY_LOCAL_MACHINE)

Usage

	Maintained in memory and used to map all other sub-keys.

HKLM\SAM

	References Security Accounts Manager (SAM) database.  This contains built-in accounts for the local system.

HKLM\SYSTEM

	Contains info about system setup, data for RNG, and list of mounted devices containing the filesystem.

HKLM\SYSTEM\Control Sets

	contain alternative configurations (current + backup).

Each Control Set Contains:

HKLM\SOFTWARE

	software and windows settings.  Modified by applications and system installers.

HKLM\SOFTWARE\Wow6432Node

	Used by 32-bit apps on 64-bit Windows.  Presented as HKLM\SOFTWARE to 32bit apps

HKLM\BCD

	Boot Configuration Data is stored in a data file formatted to make the Windows Registry hive (eventually mounted as HKLM\BCD00000)

HKLM\COMPONENTS

	used by Windows update services and linked to WINSYS folder.

HKCC (HKEY_CURRENT_CONFIG)

Usage

	Contains information gathered at runtime.  Information is regenerated at boot and not stored on the disk.  HKCC is a handle to HKLM\System\CurrentControlSet\Hardware Profiles\Current.

HKCR (HKEY_CLASSES_ROOT)

Usage

	Contains information about registered applications, file associations, and OLE Object Class IDs.  Compilation of HKCU\Software\Classes and HKLM\Software\Classes.

HKU (HKEY_USERS)

Usage

	Contains subkeys corresponding to the HKEY_CURRENT_USERS (HKCU) keys for each user profile actively loaded.  User hives typically only loaded for currently logged-on users.

HKCU (HKEY_CURRENT_USERS)

Usage

	Stores settings for each logged-in user.  Link to the sub-key of HKU for the logged-in user.  On Windows NT systems, user settings are stored in NTUSER.DAT and USRCLASS.DAT inside the user's subfolder.

HKPD (HKEY_PERFORMANCE_DATA)

Usage

	translates runtime info to performance data.  Info provided by NT kernel or device drivers.  Not stored in a hive and not visible in regedit, but is visible through registry functions in the Windows API.

HKDD (HKEY_DYN_DATA)

Usage

	Only on Windows 95/98/ME.  Contains information about hardware devices, PnP, and network performance statistics.  Not stored on HD.  Gathered/configured at startup and stored in memory.

Windows Auto-Login

	reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

AutoRuns

	reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

AutoRuns

	reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce 

AutoRuns

	reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 

AutoRuns

	reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce 

Service startup order

	reg query hklm\system\currentcontrolset\control\servicegrouporder 

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductNarne

Service Info

	reg query HKLM\SYSTEM\CurrentControlSet\Services\hMailServer	

Dump Windows SAM file

	reg save hklm\sam c:\sam 

Dump Windows SYSTEM file

	reg save hklm\system c:\system

Persistence

	reg add HKLM\SOFTWARE\Classes\exefile\shell\open /v command /t REG_SZ /d '%SystemRoot%\svchost.com "%1" %*'

Previously Connected WiFi access points

	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles 

Connected USB Devices

	HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Typed URLs (from iexplore or Edge)

	HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

Recently-Opened Documents

	HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Shim Cache (recently executed .EXEs run in compatibility mode)

	HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache

Most Actively Used .EXE List

	HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\UserAssist (Note: Bins are ROT13)

"Shell Bags" (Folders that have been opened up in explorer at least once)

	HKCU\Software\Microsoft\Windows\Shell\BagMRU

Environment Variables

	reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment"

KnownDLLs (DLLs known to be included in the System)

	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

Safe DLL Search (searches current directory last)

	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode

CWDIllegalInDllSearch (??)

	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDllSearch

Active Setup (Autoruns which run before Run/Runonce)

	HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

Load custom DLL when LSA restarts

	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ (Security Packages -- REG_MULTI_SZ -- mimilib)

Protocol Handlers

	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\

COM Class Unique Identifiers/Information (CLSID)

	-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID}