Windows Registry Analysis – Tracking Every Activity That You Do on the Windows System

The truth is that the Registry is a genuine goldmine of info for both the administrator and forensics private investigator.

The function of this short article is to provide you with a depth understanding of the Windows Computer System Registry and Wealth of information it holds. Today most administrators and forensic experts, the pc registry most likely looks like the entrance to a dark.

Besides Configuration info, the Windows Registry holds information regarding just recently accessed files and significant info about user activities.

What is the Registry?

Numerous settings within these files determined what programs were filled and how the system looked and responded to user input, Later variations of windows replaced these files with the Registry, a central hierarchical database that keeps setup settings for the application, hardware gadgets, and users.

If you remember back to DOS and early variations of Windows( 3.1,3.11 and so on ), setup details (chauffeurs, settings) for the system was largely handled by several files-specifically, autoexec.bat, config.sys, win.ini ( on windows) and system.ini.

How Windows Registry Structure Looks!

When the administrator or Forensics expects opens Regedit.exe, he sees a tree-like structure with five root folders, or “hives”.

HKEY_CURRENT_CONFIG hive consists of the hardware profile the system utilizes at start-up.

HKEY_CURRENT_USER hive is the active, loaded user profile for the currently logged-on-user.

HKEY_USERS hive consists of all the actively packed user profile for that system.

HKEY_CLASSES_ROOT hive contains setup details connecting to which application is utilized to open various files on the system.

HKEY_LOCAL_MACHINE hive consists of a huge setup details for the system, consisting of hardware settings and software settings.

Pc registry Examination

MRU lists:

MRU, throughout or” most just recently used” list consists of entries made due to specific actions performed by the user. There are many MRU LIS throughout different Registry keys.

The Registry preserves these lists of products in case the user go back to them in the future.It is similar to how the history and cookies act to a web internet browser.

The area of this secret is HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionExplorerRunMRU and it includes

With the details offered from the RunMRU secret, an inspector can gain better understanding fo the user they are investigating and the application that is being used.In this above figure, you can see the user has opened cmd, Notepad, MSPaint and so on

USB Devices: Anytime a device is linked to the Universal Serial Bus (USB), Drivers are queried and the gadgets information is kept in the Registry( Thumb Drives).

This crucial stores the contents of the product and device ID worths of any USB gadgets that have actually ever been connected to the system.

So forensics experts will drill down to the path HKEY_LOCAL_MACHINESYSTEMcontrolset001EnumUSBSTOR.


Internet Explorer:

Web Explorer is the native Web internet browser in Windows running system.It uses the Registry thoroughly in the storage of information, like many applications.

Web Explorer stores its data in the HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerTypedURLs.

Attached Hardware:

Navigating to the following essential HKEY_LOCAL_MACHINESYSTEM|MountedDevices.This information can be beneficial to a forensic examiner as it shows any connected storage gadget has actually been acknowledged by the os.

If the examiner keeps in mind a disparity between the physically connected devices and the ones reported here, it can be a sign that some gadget was removed prior to the proof being taken.

Malicious Software:

Navigating to this following key HKEY_CURRENT_USERSoftware this information will be juicy stuff for Forensics Examiner as it could see the hacker used CyberGhost Vpn which is utilized for being confidential.

Current Applications:

Check out

Browsing to this following secret will give info for last accessed applications list HKEY_CURRENT_USERSOFTWAREMicrosoftCurrentversionSearchRecentApps.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates day-to-day you can likewise the Best Cybersecurity course finest to keep yourself updated.

Crucial details can be acquired by performing a effective and efficient forensic evaluation.

In this user has a huge list of applications, among those was Vmworkstation found.

You can examine to find ongoing harmful Activities in your Environment.Happy Investigating!!!!!