Brief Discussion of Registry Hives
A typical Windows 7 Registry consists of at least five Hives, each of which performs a different function. They are as follows:

• HKEY_CLASSES_ROOT (HKCR)
• HKEY_CURRENT_USER (HKCU)
• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_USER (HKU)
• HKEY_CURRENT_CONFIG (HKCC)

HKEY_CLASSES_ROOT (HKCR)
The Hive contains thousands of Registry Keys and constitutes the majority of the Registry itself. Per-user settings, file associations, class registration for Component Object Model (COM) objects, as well as Programmatic Identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data are contained in the Hive. File extension association Keys describe the file types and associated programs which can open and edit a particular type of file. Each Key stores the information as to what Windows is supposed to do when a User double-clicks on a file with that extension. For example, when a User double clicks on the hypothetical file “Windows 7 Registry.pptx,” PowerPoint will open the file. The Registry stores the necessary information to complete this action in the HKCR\.pptx Key.

HKCR is actually a compilation of the machine-based HKLM\SOFTWARE\Classes Key (which contains default file associations and class registration), and the User-based HKCU\Software\Classes Key (which contains per-User file associations and class registration). If a Registry Key exists in both Hives, but conflicts in some manner, the one in HKCU\Software\ Classes takes precedence, which subsequently would then allow for registration of COM objects.

ProgID, CLSID, and IID Keys concern the technical aspects associated with computer programming. ProgID Keys are located under the file extension association Keys (for example, HKCR\.avi\OpenWithProgIds). Although CLSID Keys can be found under many Keys, the majority are located under the HKCR\CLSID Subkey. All IID Keys are located under the HKCR\Interface Subkey.

HKEY_CURRENT_USER (HKCU)
Registry Values in the Keys control or contain configuration information that is specific to the currently logged-on User. The information includes User level control and settings for folders, environmental variables, screen colors, printers installed, display settings, mapped network drives, keyboard layout, Control Panel settings, and so forth. The settings are stored in files located in two locations under the Users directory for each User who has logged onto the computer. Those files are the “C:\Users\(Username)\ NTUSER.DAT” file and the “C:\Users\(Username)\AppData\Local\Microsoft\Windows\ UsrClass.dat” file(s). Generic information applicable to all Users is normally found in the HKU Hive under the HKU\.DEFAULT Key). Unlike most of the other Registry Hives which are global (retain the same information for all Users), this Hive is User specific. Most Keys and their associated Values will differ from User to User on the same computer. The HKCU Hive is also a pointer to the User’s Security Identifier (SID) Key which is located in the HKU Hive.

The following are the Keys commonly found under the Hive:

• HKEY_CURRENT_USER\AppEvents
• HKEY_CURRENT_USER\Console
• HKEY_CURRENT_USER\Control Panel
• HKEY_CURRENT_USER\Environment
• HKEY_CURRENT_USER\EUDC
• HKEY_CURRENT_USER\Identities
• HKEY_CURRENT_USER\Keyboard Layout
• HKEY_CURRENT_USER\Network
• HKEY_CURRENT_USER\Printers
• HKEY_CURRENT_USER\Software
• HKEY_CURRENT_USER\System
• HKEY_CURRENT_USER\Volatile Environment

Many of the Keys can be of forensic interest to an examiner. For instance, the HKCU\Identities Subkey(s) correspond to an identity in Microsoft Outlook Express. The HKCU\Network Subkeys correspond to mapped network drives to which the computer connects when the User logs on. The Subkey name is the drive letter of the mapped networked drive and contains the configuration information to connect to the drive. All the User specific application settings for installed programs can be found in the HKCU\Software Subkeys. Depending upon the program, this could include information such as the version number, when it was installed, and a list of recent files accessed by the program.