ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • All
  • Persistence Keys
  • Notes
  • Root Keys:
  • Value Types:

Was this helpful?

  1. Windows
  2. System Ops
  3. Registry

Forensically Relevant Keys

All

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Stores user profiles information, including SID, profile path, and last login time.

HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer

Contains settings and information for the default user profile, including RunMRU (most recently used commands).

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

Keeps track of files recently opened or saved, providing a history of file activity.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Holds network configuration details, such as DHCP and IP address information.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Contains the system's time zone settings, important for timestamp analysis.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Lists installed software, including installation dates and versions.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Tracks documents recently accessed by the user.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Records history of USB storage devices connected to the computer.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Stores Internet settings, including proxy configurations.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Provides details on Windows logon settings and last logged-on user.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Contains programs set to run at user login, indicating user preferences or potential malware.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Lists programs set to run at system startup, important for identifying startup items and malware.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Holds commands that run once at the next user login, used for setups and potentially malicious activities.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Contains commands that run once at the next system startup, relevant for installations and malware analysis.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

Provides information about the Prefetch feature, which logs files used during system startup and application launch.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Contains paths to various important system folders, useful for understanding system configuration and user behavior.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

Stores configuration for event logs, crucial for understanding system events and changes.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Contains settings related to Windows GUI and system parameters, including AppInit_DLLs which may indicate malware presence.

HKEY_CURRENT_USER\Software\Microsoft\Office

Holds Microsoft Office settings, including MRUs and user preferences, useful in user activity analysis.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Lists Browser Helper Objects (BHOs) for Internet Explorer, which can indicate installed toolbars or potential browser-based malware.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks

HKLM\SYSTEM\CurrentControlSet\SERVICES</mark>

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles</mark>

HKU<SID>\Software\Microsoft\Internet Explorer\TypedUrls

Persistence Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Programs in this key run automatically when the current user logs in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Programs listed here run automatically for all users at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Commands or programs here run once at the next user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Commands or programs in this key run once at the next system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed here are executed at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed here are executed at user login.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Entries such as 'Userinit' and 'Shell' can be modified to run custom scripts or applications during the logon process.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

Specifies programs to load at user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load

Specifies programs to load at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

Specifies additional programs to run at user login.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run

Specifies additional programs to run at system startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Hooks that can be used to execute code when certain actions occur.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Services listed here are started by the Service Control Manager. Malware can create or modify existing services.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Customization of user shell folders can be used for persistence.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Customization of shell folders at a system-wide level.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

Components listed here are executed when a user logs in for the first time and when creating new user accounts.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

On 64-bit systems, this key is used to run 32-bit applications at system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes*\ShellEx\ContextMenuHandlers

Context menu handlers can be used to execute code when certain file types are right-clicked.

HKEY_CURRENT_USER\Software\Classes*\ShellEx\ContextMenuHandlers

Context menu handlers for specific file types under the current user profile.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKU<SID>\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\BCD00000000

HKLM\SAM\SAMs

Notes

Root Keys:

HKLM (local machine)

HKCU (current user)

HKCR (classes root)

HKU (users)

HKCC (current configuration).

Value Types:

REG_SZ (string)

REG_DWORD (32-bit integer)

REG_QWORD (64-bit integer)

REG_BINARY (binary data)

REG_EXPAND_SZ (expandable string)

PreviousModifyNextUsers & Groups

Last updated 1 year ago

Was this helpful?

🪟