Windows 7 Registry Forensics: Part 2

Wed, 12/14/2011 - 1:42pm
John J. Barbara

Windows 7 Registry ForensicsSystem Restore and Restore Points
Many forensic examiners are not familiar with the Registry or its forensic importance. One way to gain first-hand knowledge is to explore the Registry on a live, non-forensic computer. However, before doing so, a word of caution is in order. Any changes made to the Registry, either intentionally or accidentally, could have an effect on the computer’s functionality. Therefore, it is recommended that a Restore Point be created before exploration begins. System Restore, which is used by Windows to regularly create and save Restore Points, can be used to manually create a current Restore Point. It is important to note that System Restore does not back-up nor recover personal files. Rather its function is to create Restore Points which are back-ups of the Registry, most drivers, and system files with certain extensions such as .exe, .dll, etc. The following steps can be taken to create a Restore Point:

  • Click the “Start” button. Right-click on “Computer” and then click “Properties.”
  • In the left pane under “Control Panel Home” click on “System Protection.”
  • When the “System Properties” dialog box appears, click on the “System Protection” tab.
  • Click on “Create.” The “Create a Restore Point” dialog box appears. Enter a name for the Restore Point and click “Create.” After the Restore Point has been created, close the dialog boxes.

Restore Points are extremely beneficial because they can restore a computer to an earlier point in time. This becomes particularly important when a computer does not function correctly after a new application, updated software, or a driver has been installed. Uninstalling the previously installed software often corrects the problem, however in some instances links or pieces can still remain scattered in different locations and continue to affect the computer’s functionality. When this occurs, it becomes necessary to restore the computer to an earlier point when it was functioning correctly. The following steps can be taken to restore a computer:

  • Click the “Start” button. Right-click on “Computer” and then click “Properties.”
  • In the left pane under “Control Panel Home” click on “System Protection.”
  • When the “System Properties” dialog box appears, click on the “System Protection” tab.
  • Click on “System Restore.” In the “System Restore” dialog box click “Next.” Select a Restore Point and then click “Next.”
  • Confirm the Restore Point, and then click “Finish.” This should restore the selected Windows 7 configuration and then restart the computer.
  • Log on to the computer and when the “System Restore” confirmation page appears, click “OK.”

Restore Points themselves can be of forensic importance because they represent snapshots of a computer’s Registry and system files. For instance, presume that a User creates a Restore Point, installs hacking software on his computer, hacks into a remote system to perform a malicious act, and then restores his computer to its previous state. Evidence of the hacking software installation would not be found in the current mounted Registry but would still be present in the Registry within a specific Restore Point. This is due to the fact that when System Restore is used, before reverting back to the selected Restore Point, System Restore creates another Restore Point which captures a current snapshot of the system. This Restore Point would contain the Registry information as it existed at the time of the malicious act.

Registry Hives
The Windows 7 Registry is not in actuality a central hierarchical database or one large file, but rather a set of files referred to as “Hives.” These files, located in the “C:\Windows\ System32\config” and “C:\Users\(Username)\” directories, are updated each time a User logs onto the computer. (A list of their locations is also stored in the Registry itself under the “HKLM\SYSTEM\CurrentControlSet\ Control\hivelist” Key). The files are as follows:

  • C:\Windows\System32\config\DEFAULT: contains the default system information which is stored in the “HKEY_USERS\.DEFAULT” Key.
  • C:\Windows\System32\config\SAM: contains information about the Security Accounts Manager (SAM) service which is stored in the “HKLM\SAM” key.
  • C:\Windows\System32\config\SECURITY: contains the security information which is stored in the “HKLM\SECURITY” key.
  • C:\Windows\System32\config\SOFTWARE: contains information about the computer’s software configuration which is stored in the “HKLM\SOFTWARE” Key.
  • C:\Windows\System32\config\SYSTEM: contains information about the computer’s system configuration which is stored in the “HKLM\SYSTEM” Key.
  • C:\Users\(Username)\NTUSER.DAT: contains the Registry settings for an individual Users account.

The Windows operating system has a built-in Registry Editor that can be accessed by typing “regedit” in the “Search programs and files” menu box on a live system. (Normally a forensic examiner would not access the Registry in this manner. Rather, the Registry might be copied from a live system using a triage tool or after acquisition of the hard drive; it could be examined from an opened acquisition image or copied and examined using specific Registry tools). When the Registry Editor window opens, the Registry appears not as individual files, but as one unified “file system.” The left-hand Registry Editor pane displays the hierarchal Registry Hives which are comprised of Keys and Subkeys. The right-hand Registry Editor pane displays the “Name,” “Type,” and “Data” for a particular Hive, Key, or Subkey. The left-hand pane is similar to the left-hand pane of the Windows Explorer file system with the Keys and Subkeys in the Hives being similar to Windows Explorer folders and subfolders. In the right hand pane, a Key’s “Name” is analogous to a file’s name within a Windows Explorer folder, its “Type” is analogous to a file’s extension, and its “Data” is analogous to the actual contents of a file. The naming convention for the Hives uses their Windows API definitions which all begin with “HKEY.” Frequently Hives are abbreviated to a three or four-letter short name starting with “HK.” A typical Windows 7 Registry consists of the following Hives:


Of the five Hives, HKLM and HKU are stored as files. The other three are shortcuts or aliases to these two Hives. HKCU is a symbolic link to subkeys in HKU, and HKCR and HKCC are symbolic links to subkeys in HKLM. Access to Registry Keys can be restricted by the use of Access Control Lists (ACL) which are lists of permissions that are attached to an object. An ACL can specify which Users have access to what objects as well as what operations can occur on a given object. For example, if an ACL for a file contains “John, Update” this would give the User “John” permission to “Update” the file. Security tokens acquired by applications or system security policies (predefined or configured) can also restrict access to Registry Keys. As a result, different Users may only see parts of the Registry hierarchy.

This discussion will continue in the next column.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. He can be reached at


Share this Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.