CTF Support
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. CTF Support
  2. /
  3. Forensics
  4. /
  5. Logs & System Artifacts
  6. /
  7. Windows Registry Analysis
Edit page

Windows Registry Analysis

Introduction

The Windows Registry stores configuration and activity data, including user behavior, persistence mechanisms, and system changes. In forensics challenges, analyzing registry hives can reveal malware persistence, executed programs, connected devices, and user accounts.

Tools

Tool Purpose
Registry Explorer GUI Registry browser for artifact timelines and bookmarkable keys
RECmd Command‑line companion to Registry Explorer with batch query support
RegRipper Parse individual hives using plugins (e.g. runkeys, software, network)
python-registry Parse registry hives via Python (useful for automation or CTFs)

Common Registry Hives

Hive Location Contains
SYSTEM C:\Windows\System32\config\SYSTEM Hardware, services, network configuration, and control sets
SOFTWARE C:\Windows\System32\config\SOFTWARE Installed applications, versioning, execution history
SAM C:\Windows\System32\config\SAM Local user accounts and password hashes
SECURITY C:\Windows\System32\config\SECURITY Security policy and audit configuration
NTUSER.DAT C:\Users\<user>\NTUSER.DAT Per‑user settings, recent documents, Run keys
USRCLASS.DAT C:\Users\<user>\AppData\Local\Microsoft\Windows\USRCLASS.DAT User shellbags (folders visited, UI states)

Persistence and Execution Artefacts

Attackers often modify registry keys to achieve persistence or command execution at startup.

Common locations to inspect:

Registry Path Purpose Notes
HKCU\Software\Microsoft\Windows\CurrentVersion\Run User-level autoruns Executes apps on logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run System-wide autoruns Persists services
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Logon initialization chain Check for appended malware
HKLM\SYSTEM\CurrentControlSet\Services\ Service persistence Lists drivers & rootkits
HKLM\SYSTEM\CurrentControlSet\Control\Lsa Credential providers Impersonation or injection points
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp Port proxy rules Used for internal proxy pivoting