Windows Registry Terminal Learning Objectives: Describe the structure and contents of the Windows Registry Identify locations within the registry that store values of forensic relevance Demonstrate the use of GUI tools and the command-line registry editor to query, view, analyze, create, and modify registry entries Identify registry files Identify when changes to the registry are expected to take effect Describe how system and process architecture can impact configuration locations within the registry Describe how to determine the version and settings of security products, such as anti-virus, using the registry Recognize locations within the registry used for persistence Explain service parameters (e.g., start values and dependencies) stored in the registry Identify the user associated with an NTUSER.dat file Extract registry values from an NTUSER.dat file not currently loaded on HKCU Identify Security and Forensic relevant keys Table of Contents 1. Describe the structure and contents of the Windows Registry 1.1 Windows Registry 2. Identify Registry files 2.1 Registry Keys and Values 2.2 Registry Hives or Root Keys 3. Registry Manipulation 3.1 View/manipulate the registry with a GUI 3.2 View/manipulate the registry via CMDLINE 3.3 Registry Manipulation with PowerShell 3.4 Reading Registry Objects with PowerShell 3.5 Creating Registry objects with Powershell 3.6 Modifying Registry objects with PowerShell 4. Registry Locations of Interest 4.1 Registry locations that can be utilized for persistence 4.2 Critical Registry Locations 4.3 Forensically Relevant Keys 5 Security 6 System and process impact on configuration locations within the Registry 7 Determine the version and settings of security products using the registry 8. Service parameters (e.g., start values and dependencies) stored in the registry 8.1 Service Parameters 8.2 Service Dependencies 9. Identify the user associated with an NTUSER.dat file 9.1 Extract registry values from an NTUSER.dat file not currently loaded on HKCU Introduction The Windows Registry is a very big collection of "database" entries, over 3 million, that can easily overwhelm a user at any level. The wrong addition, deletion, or manipulation of an entry can render the system unuseable. We are going to take a look at the structure of the registry and explore some of the more "popular" entries. 1. Describe the structure and contents of the Windows Registry TLOs: 1, 2, 3 1.1 Windows Registry The The Windows Registry is a central hierarchical database used in Windows to store information that is necessary to configure the system for one or more users, applications, and hardware devices. Think of the Windows Registry like a huge Rolodex. everything in Windows has a card/place with all of it’s information. Includes location, information, settings, options, and other values for programs and hardware installed 2. Identify Registry files 2.1 Registry Keys and Values The Registry is comprised of Registry Hives which contain Keys, Subkeys and Values structured in a tree format. Keys - are known as Registry Hives and can contain subkeys and values. Subkeys - can contain subkeys and values Values - contain data in specific formats. Example Registry Layout HKEY_Local_Machine (HIVE) ├──SOFTWARE (Key) ├──BCD00000 (Key) ├──HARDWARE (Key) └──SYSTEM (Key) └──RegisteredApplications (Subkey) ├── File Explorer : Data (value) ├── Paint : Data (value) └──Wordpad : Data (value) Structure of the Registry 2.2 Registry Hives or Root Keys A registry hive is a group of keys and their associated values that are loaded when the system is started or a specific user logs in. There are five Registry Hives HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_USERS HKEY_CURRENT_CONFIG HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE (HKLM) Contains configuration information for the entire computer. Its values are read every time the machine is started regardless of the user who logs in. Its subkeys are : HARDWARE - contains a database of installed devices along with their drivers SAM - Security Account Manager stores user and group accounts along with NTLM hashes of passwords Security - Local Security policy accessed by lsass.exe used to determine rights and permissions for users on the machine System - Contains keys pertaining to system startup such as programs started on boot or driver load order. Reference for HKEY_LOCAL_MACHINE HKEY_USERS (HKU) Contains all user profiles on the system. Contains one key per user on the system. Each key is named after the SID(Security Identifier) of the user. SID values are unique to each user on the machine. HKEY_USERS contains some of the following information: User Environment settings for the desktop Shortcuts File associations Some HKEY_USERS are called Well Known SIDs.. They identify default accounts in Windows used for various purposes. Examples include: S-1-5-18 refers to LocalSystem account. S-1-5-19 refers to LocalService account. It is used to run local services that do not require LocalSystem account. S-1-5-20 refers to NetworkService account. It is used to run network services that do not require LocalSystem account. S-1-5-21-domain-500 Refers to the built in local administrator account. HKEY_CURRENT_USER (HKCU) HKEY_CURRENT_USER is the copy of the logged in user’s registry key based on thier SID from HKEY_USERS. HKEY_USERS (HIVE) └──SID (S-1-5-21-3939661428-3032410992-3449649886-XXXX) (Key) HKEY_CURRENT_CONFIG (HKCC) HKEY_CURRENT_CONFIG is a symbolic link (pointer or shortcut or alias) to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current HKEY_Local_Machine (HIVE) └──SYSTEM (Key) └──CurrentControlSet (Subkey) └── Hardware Profiles (Subkey) └── Current (Subkey) HKEY_CLASSES_ROOT (HKCR) HKEY_CURRENT_CONFIG is a symbolic link (pointer or shortcut or alias) to the following registry key: HKEY_LOCAL_MACHINE\Software\Classes HKEY_Local_Machine (HIVE) └──Software (Key) └──Classes (Subkey) Contains file name extension associations and COM class registration information such as ProgIDs, CLSIDs, and IIDs. It is primarily intended for compatibility with the registry in 16-bit Windows HKCR Reference HKLM and HKU are the only root keys that Windows physically stores on files. Registry Structure and Data Types Table 1. Registry Path Hive and Supporting Files HKLM\SAM SAM, SAM.LOG HKLM\SECURITY SECURITY, SECURITY.LOG HKLM\SOFTWARE software, software.LOG, software.sav HKLM\SYSTEM system, system.LOG, system.sav HKLM\HARDWARE (Dynamic/Volatile Hive) HKU\.DEFAULT default, default.LOG, default.sav HKU\SID NTUSER.DAT HKU\SID_CLASSES UsrClass.dat, UsrClass.dat.LOG The above Table shows the registry path and their corresponding hives on disk. All hives in HKLM are stored in %SYSTEMROOT%\System32\config\ (%SYSTEMROOT% usually refers to C:\WINDOWS). HKLM\HARDWARE is a dynamic hive that is created each time the system boots and it is created and managed entirely in memory. HKU\SID hive file is stored in user home directory, which is %USERPROFILE%\NTUSER.DAT. HKU\SID_CLASSES hive file correspond to "%USERPROFILE%\Application Data\Local\Microsoft\Windows\UsrClass.dat" Table 2. Types of extensions and what they mean (Might be hidden) No extension Actual Hive File .alt extension Backup copy of hive, used in Windows 2000 .log extension Transaction log of changes to a hive .sav extension Backup copy of hive created at the end of text-mode (console) Registry Memory Space 3. Registry Manipulation 3.1 View/manipulate the registry with a GUI regedit.exe GUI Located at C:\Windows\regedit.exe Can connect to a remote registry, but only using the PC’s workgroup or domain Name Needs the RemoteRegistry Service (svchost.exe / regsvc.dll) to be running to work Commonly disabled using group policy Can load hives files from disk to the active registry Can export binary .hiv files as well as text .reg files Can only query HKLM and HKU remotely Regedit.exe shares similarities with the C: drive file hierarchy. Keys can be manipulated just like files. Using Regedit.exe to query the Registry 1 Click on the search bar and type in regedit.exe 2 If prompted by UAC, click yes 3 Click on the drop down for HKEY_CURRENT_USER 4 Click the drop down for Software 5 Click the drop down for Microsoft 6 Click the drop down for Windows 7 Click the drop down for CurrentVersion 8 Click the drop down for Run 9 We have successfully queried a key using regedit.exe 3.2 View/manipulate the registry via CMDLINE reg.exe CLI Located at C:\Windows\System32\reg.exe Can connect to a remote registry, using the PC’s NetBios Name or IP address Does not have to be in workgroup/domain. Only need username/password Needs the RemoteRegistry Service (svchost.exe / regsvc.dll) to be running to work Can load hives files from disk to the active registry Available in XP and beyond Can only export text .reg files Can only query HKLM and HKU remotely Reg.exe Syntax More Reg.exe Syntax Reg.exe help reg /? #Displays help for all of the reg.exe commands reg query /? #Displays help for the `reg query` reg add /? #Displays help for `reg add` reg delete /? #Displays help for `reg delete` Reg query - Reads keys from specific registry locations reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Reg add - Adds keys to specific registry locations reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v testme /t REG_SZ /d C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe The /v stands for Value; In this case the name of this Key Value. The /t stands for Type; Types can be any of the Data Types that we went over earlier. The /d stands for Data; Is what is the actual Data or in this case a command to open a file every time the system is ran. Reg delete - Deletes Keys reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v testme 3.3 Registry Manipulation with PowerShell Certain Root Hives are loaded automatically into PSDrives (HKLM: and HKCU:) What is a PowerShell PSDrive? A Windows PowerShell drive is a data store location that you can access like a file system drive in Windows PowerShell. You cannot access them by using other Windows tools, such as File Explorer or Cmd.exe. Basically, a PSDrive creates a temporary or permanent way for PowerShell to navigate the registry just like you could navigate the file system. Another way to create/use a remote connection is to use PSDrive (PowerShell Drive). A group of providers connect different forms of storage to PowerShell and make them look like and perform like a file system. Finding current PSDrives Get-PSDrive To create a new Windows PowerShell drive, you must supply three parameters: A Name for the drive (you can use any valid Windows PowerShell name) The PSProvider (use "FileSystem" for file system locations, "Registry" for registry locations, and it could also be a shared folder on a remote server.) The Root, that is, the path to the root of the new drive. Table 3. What are PSDrive Providers Providers: "Registry" - for registry locations, "FileSystem" for file system locations Certificate: for any installed digital certificates Alias: for aliases used by PowerShell Function: Provides access to the functions defined in PowerShel Variable: supports the variables that PowerShell creates, including the automatic variables, the preference variables, and the variables that you create. WSMAN: (Web Services Manager)lets you add, change, clear, and delete WS-Management configuration data on local or remote computers. Environment: Provides access to the Windows environment variable. Table 4. What are PSDrive Names? PSDrive uses Names for each drive. Names of the drive can be longer than just a letter and can be as explanatory as you want. PowerShell needs a : (colon) after the name to change directory to the drive. Table 5. Root Path Root specifies the data store location to which a PowerShell drive is mapped of a local computer, a remote computer, or even a website. When Root is a UNC (Universal Naming Convention) path, such as \\Server\Share, the credential specified in the value of the Credential parameter is used to create the PSDrive. Minimum commands to know Query Get-ChildItem cmdlet gets the items in one or more specified locations. Get-ItemProperty cmdlet gets the items in one or more specified locations. Get-Item cmdlet gets the item at the specified location. It doesn’t get the contents of the item at the location unless you use a wildcard character (*) to request all the contents of the item. Modify Set-ItemProperty cmdlet changes the value of the property of the specified item. example, changing setting to :true or :false. Remove-ItemProperty cmdlet to delete registry values and the data that they store. Create New-Item cmdlet creates a new item and sets its value. In the registry, New-Item creates registry keys and entries. New-Itemproperty cmdlet creates a new property for a specified item and sets its value. Typically, this cmdlet is used to create new registry values, because registry values are properties of a registry key item. 3.4 Reading Registry Objects with PowerShell Get-ChildItem - Reads sub keys from the input value Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (1) Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ (2) 1 The returns nothing because it is listing the sub keys of \Run. Run has no sub keys, only values. 2 Returns sub keys of \CurrentVersion Get-Item - Reads the value of the inputted object Get-item HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Notice how the output of the command is different than Get-ChildItem. It reads key values, not sub keys. 3.5 Creating Registry objects with Powershell New-Item - Creates a new sub key associated within a hive New-Item "HKLM:\Software\Microsoft\Office\14.0\Security\Trusted Documents\TrustRecords" -Force Creates a new sub key in Trusted Documents for document.doc Trusted documents is for documents with active content i.e. embedded macros. New-ItemProperty - Creates a new value associated with a sub key New-ItemProperty "HKLM:\Software\Microsoft\Office\14.0\Security\Trusted Documents\TrustRecords" -Name "%USERPROFILE%Downloads/test-document.doc" -PropertyType Binary -Value ([byte[]](0x30,0x31,0xFF)) (1) New-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name Test -PropertyType String -Value C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (2) 1 Creates a new value in the \TrustRecords key 2 Creates a value in the \Run key Outside of the scope of the class but in case you want to know more about the byte array 3.6 Modifying Registry objects with PowerShell Rename-ItemProperty - Modifies a value associated with a sub key Rename-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WIndows\CurrentVersion\Run -Name SecurityHealth -NewName Test Remove-ItemProperty - Removes a value associated with a sub key Remove-ItemProperty -Path HKLM:\Software\Microsoft\Office\14.0\Security\Trusted Documents\TrustRecords" -Name "%USERPROFILE%Downloads/test-document.doc" Set-ItemProperty - Change the value of a sub key Set-ItemProperty HKLM:\SOFTWARE\Microsoft\WIndows\CurrentVersion\Run -Name Test -Value Bacon.exe Registry Changes Changes to the registry often require a restart, as many programs read the registry values upon load. Whether the entire system needs to be restarted, or just a program, depends on the registry setting changes. Some changes do take effect immediately, as we saw with the disable taskmgr key that was created. It is also important to note that some parts of the registry are always loaded into memory. 4. Registry Locations of Interest Do I need to remember all of the locations in the Registry? The Registry in a Windows 10 Computer has over 3 million entries; it is impossible to know them all. It is more important to understand the concepts supporting the Windows Registry than to know millions of keys. 4.1 Registry locations that can be utilized for persistence Persistence According to MITRE Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - MITRE Table 6. System-wide and per-user autoruns HKLM\Software\Microsoft\Windows\Run HKU\<SID>\Software\Microsoft\Windows\Run HKLM\SYSTEM\CurrentControlSet\services HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 4.2 Critical Registry Locations These are keys that have value for red and blue teams to be taken advantage of. HKLM\BCD00000000 Replacement of old boot.ini file HKLM\SAM\SAM Use "psexec -s -i regedit" from administrator cmd.exe to view the SAM It opens a new regedit.exe window with system permissions PSEXEC is a SYSINTERNALS tool. HKU\<SID>\Software\Policies\Microsoft\Windows\System\Scripts Group policy Logon/Logoff Scripts defined here 4.3 Forensically Relevant Keys These are keys that hold any type of information that can be used to gather intelligence or track events. These are some but not all of the keys that can be considered relevant to you or your mission set. SANS Registry Cheat Sheet Why do we care? We are looking for keys that can be used for Persistence Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access As well as Privilege Escalation. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Microsoft Edge Internet URL history and Browser Artifacts and Forensics HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage USB history / USB Forensics HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB Recent MRU history / MRU in forensics HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. Recent Files with LNK files HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs Windows User Profiles User Account Forensics HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Saved Network Profiles and How to decode Network history HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles Windows Virtual Memory and why it is important HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management This key maintains Windows virtual memory (paging file) configuration. The paging file (usually C:\pagefile.sys) may contain evidence/important information that could be removed once the suspect computer is shutdown. Recent search terms using Windows default search and Cortana HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots Index of Search results by SID HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search Recent files searched 5 Security Each key in the registry of Windows NT versions can have an associated Security Descriptor. The security descriptor contains an Access Control List (ACL) that describes which user groups or individual users are granted or denied access permissions. An ACL is a list of Access Control Entries (ACE). The security descriptor can be explicit or inherited from a parent object. Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL. A Discretionary Access Control List (DACL) identifies the trustees that are allowed or denied access to a secured object. A System Access Control List (SACL) enables administrators to log attempts to access a secured object. Table 7. Registry permissions Permission Description Query Value The right to read the registry key value. Set Value The right to write a new value Create Subkey The right to create subkeys. Enumerate Subkeys Allow the enumeration of subkeys. Notify The right to request change notifications for registry keys or subkeys. Create Link Reserved by the operating system. Delete The right to delete a key. Write DACL The right to modify permissions of the container’s DACL. Write Owner The right to modify the container’s owner. Read Control The right to read the DACL. Special ACEs on the security descriptor can also implement Mandatory Integrity Control for the registry key and subkeys. A process running at a lower integrity level cannot write, change or delete a registry key/value, even if the account of the process has otherwise been granted access through the ACL. An example would be if Internet Explorer is running in Protected Mode and can read medium and low integrity registry keys/values of the currently logged on user, but it can only modify low integrity keys. Windows Resource Protection uses security to deny Administrators and the system WRITE access to some sensitive keys to protect the integrity of the system from malware and accidental modification. 6 System and process impact on configuration locations within the Registry Windows 9x The registry files are stored in the %WINDIR% directory under the names USER.DAT and SYSTEM.DAT with the addition of CLASSES.DAT in Windows ME. Also, each user profile (if profiles are enabled) has its own USER.DAT file which is located in the user’s profile directory in %WINDIR%\Profiles\<Username>\. Windows NT Windows NT systems store the registry in a binary file format which can be exported, loaded and unloaded by the Registry Editor in these operating systems. The following system registry files are stored in %SystemRoot%\System32\Config\: Name Key Sam HKEY_LOCAL_MACHINE\SAM Security HKEY_LOCAL_MACHINE\SECURITY Software HKEY_LOCAL_MACHINE\SOFTWARE System HKEY_LOCAL_MACHINE\SYSTEM Default HKEY_USERS\.DEFAULT Userdiff Not associated with a hive. Used only when upgrading operating systems. The following file is stored in each user’s profile folder: %USERPROFILE%\Ntuser.dat – HKEY_USERS\<User SID> (linked to by HKEY_CURRENT_USER) For Windows 2000, Server 2003 and Windows XP, the following additional user-specific file is used for file associations and COM information: %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path is localized) – HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes) For Windows Vista and later, the path was changed to: %USERPROFILE%\AppData\Local\Microsoft\Windows\Usrclass.dat (path is not localized) alias %LocalAppData%\Microsoft\Windows\Usrclass.dat – HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes) Windows 2000 keeps an alternate copy of the registry hives (.ALT) and attempts to switch to it when corruption is detected. Windows XP and Windows Server 2003 do not maintain a System.alt hive because NTLDR on those versions of Windows can process the System.log file to bring up to date a System hive that has become inconsistent during a shutdown or crash. In addition, the %SystemRoot%\Repair folder contains a copy of the system’s registry hives that were created after installation and the first successful startup of Windows. Each registry data file has an associated file with a ".log" extension that acts as a transaction log that is used to ensure that any interrupted updates can be completed upon next startup. Internally, Registry files are split into 4 kB "bins" that contain collections of "cells". Windows 3.11 There is only registry file is called REG.DAT and it is stored in the %WINDIR% directory. 7 Determine the version and settings of security products using the registry Being able to view and modify application registry values is of particular operational importance when relating to security and antivirus products. Usually, these products will store not only their version information, but also which features are enabled or disabled. Antivirus products are generally 32-bit applications and their version information is stored in HKLM\Software.\ (usually as a subkey) For example, the following are registry locations for Kaspersky: HKLM\Software\Wow6432Node\KasperskyLab\ HKCU\Software\KasperskyLab\ 8. Service parameters (e.g., start values and dependencies) stored in the registry 8.1 Service Parameters The individual service parameters are stored in the the registry key: HKLM\SYSTEM\CurrentControlSet\Services\<serviceName>\Parameters A registry value can store data in various formats. When you store data under a registry value, for instance by calling the RegSetValueEx function, you can specify one of the following values to indicate the type of data being stored. When you retrieve a registry value, functions such as RegQueryValueEx use these values to indicate the type of data retrieved. The Winnt.h module defines the 32-Bit Windows types and constants that are defined by NT, but exposed through the Win32 API Byte Formats; In little-endian format, a multi-byte value is stored in memory from the lowest byte (the "little end") to the highest byte. For example, the value 0x12345678 is stored as (0x78 0x56 0x34 0x12) in little-endian format. In big-endian format, a multi-byte value is stored in memory from the highest byte (the "big end") to the lowest byte. For example, the value 0x12345678 is stored as (0x12 0x34 0x56 0x78) in big-endian format. Table 8. The following registry value types are defined in Winnt.h. Value Type REG_BINARY Binary data in any form. REG_DWORD A 32-bit number. REG_DWORD_LITTLE_ENDIAN A 32-bit number in little-endian format. REG_DWORD_BIG_ENDIAN A 32-bit number in big-endian format. REG_EXPAND_SZ A null-terminated string that contains unexpanded references to environment variables REG_LINK A null-terminated Unicode string that contains the target path of a symbolic link that was created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK REG_MULTI_SZ A sequence of null-terminated strings, terminated by an empty string (\0). REG_NONE No defined value type. REG_QWORD A 64-bit number. REG_QWORD_LITTLE_ENDIAN A 64-bit number in little-endian format. REG_SZ A null-terminated string. 8.2 Service Dependencies Service dependencies are an advanced feature that allow you to control the behavior of services based on the status of one or more other services. More specifically, you can repress the execution of service checks and notifications for services if various criteria that you specify are met. The image below shows an example layout of service dependencies. There are a few things you should notice: A service can be dependent on one or more other services A service can be dependent on services which are not associated with the same host Service dependencies are not inherited Service dependencies can be used to cause service execution and service notifications to fail under different circumstances (OK, WARNING, UNKNOWN, and/or CRITICAL states) 9. Identify the user associated with an NTUSER.dat file Hidden in every user profile is a file named NTUSER.DAT. This file contains the settings and preferences for each user, so you shouldn’t delete it and probably shouldn’t edit it. Windows automatically loads, changes, and saves the file for you. NTUSER.DAT Contains Your User Profile Settings. Every time you make a change to the look and behavior of Windows and installed programs, whether that’s your desktop background, monitor resolution, or even which printer is the default, Windows needs to remember your preferences the next time it loads. Windows accomplishes this by first storing that information to the Registry in the: HKEY_CURRENT_USER hive. When you sign out or shut down, Windows saves that information to the NTUSER.DAT file. The next time you sign in, Windows will load NTUSER.DAT to memory, and all your preferences load to the Registry again. When you make changes a copy will be made and named ntuser.dat.LOG (plus an incremented number) to back up your previous settings. You can get there by opening File Explorer and either browsing to: C:\Users\<YourUserName> Or by typing: %userprofile% into File Explorer’s address bar, and then hitting enter. 9.1 Extract registry values from an NTUSER.dat file not currently loaded on HKCU Registry hives, such as NTUSER.DAT, are a bespoke file format, with a number of ways of viewing them Perhaps the cleanest is to use a third-party application such as: Ease of use: MiTeC’s Windows Registry Recovery Forensic analysis: Eric Zimmerman’s Regisrty Explorer If you don’t want third-party tools, you can mount a registry hive using regedit (requires local Administrator privileges) From Start Menu, find Registry Explorer/regedit In the left-hand tree pane select HKEY_USERS From the File menu, select Load hive… Select the file you want to mount [NTUSER.DAT] Give it a name [OLD] and you will now see the mounted hive under HKEY_USERS To unmount it, select the name you gave it [OLD], and from the File menu, select Unload hive To load a Hive Reg Load HKU\temp "C:\Path\to\NTUSER.dat" Export key: Reg Export HKU\temp\Path\to\Key "C:\Path\to\Save\Exported.reg" To Unload a Hive: Reg Unload HKU\temp Summary Today we talked about the five different Windows registry hives and the different types of entries that are stored in each. We showed how to edit the registry using both the GUI tool and command line/PowerShell commands. The familiarization should help you both understand and appreciate the power of manipulating the registry. Resources Microsoft, "Windows registry information for advanced users" Microsoft, 11 Sep 2017 Available: https://support.microsoft.com/en-us/help/256986/windows-registry-information-for-advanced-users Microsoft, "RegistryKey Class" Microsoft, 21 Nov 2017 Available: https://msdn.microsoft.com/en-us/library/microsoft.win32.registrykey(v=vs.110).aspx Microsoft, "RegistryKey.OpenRemoteBaseKey Method (RegistryHive, String)" Microsoft, 21 Nov 2017 Available: https://msdn.microsoft.com/en-us/library/8zha3xws(v=vs.110).aspx Microsoft, "Microsoft Reg Command options and syntax" Microsoft, 04 Nov 2017 Available: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg Microsoft, "Run and RunOnce Registry Keys" Microsoft, 31 May 2018, https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys Wikipedia Windows Registry Available: https://en.wikipedia.org/wiki/Windows_Registry#Structure Introduction to the Windows Registry Available: https://boot13.com/introduction-to-the-windows-registry/