Sign In
In this module

The Windows Registry as a Forensic Source

Module 0 · Free
Operational Objective
The Windows Registry is the second most important forensic source after the filesystem — and the most misunderstood. Examiners routinely extract registry hives, run RegRipper or RECmd, and include the output in their reports without understanding the binary structure that produced it. When a registry key's "last write time" shows March 15, what exactly does that mean? It means any value under that key was modified on March 15 — but the examiner cannot determine which value changed, because the last write timestamp applies to the entire key, not to individual values. When a deleted registry key appears in a tool's output, how was it recovered? From hive slack space, from transaction logs, or from Volume Shadow Copies — and does the recovery method affect the data's reliability? When an examiner reports a UserAssist entry showing "42 executions of cmd.exe," do they understand that the count is ROT13-encoded in the value name and that the execution count field has known accuracy issues on certain Windows versions? This subsection establishes the registry architecture that generates forensic evidence, the hive file structure that determines what can and cannot be recovered, and the key forensic limitations that every registry analysis must account for.
Deliverable: Understanding of registry hive binary structure (hive bins, key cells, value cells, slack), the five forensically significant hive files and what each contains, the last write timestamp scope and limitations, transaction log recovery mechanics, and the specific registry locations that generate evidence for persistence, user activity, device history, and account forensics.
Estimated completion: 40 minutes
WINDOWS REGISTRY — FIVE FORENSIC HIVE FILES SYSTEM %SystemRoot%\System32\config Services (persistence) USBSTOR (device history) MountedDevices Network interfaces TimeZoneInformation ComputerName Shimcache (AppCompat) BAM/DAM (execution) Prefetch config Hardware · Services Boot · Devices + .LOG1, .LOG2 SOFTWARE %SystemRoot%\System32\config Installed programs NetworkList (Wi-Fi) Run/RunOnce (persistence) OS version, install date Classes (COM, file assoc) Policies (GPO settings) Amcache reference Machine-wide software configuration + .LOG1, .LOG2 SAM %SystemRoot%\System32\config User accounts (SIDs) Account creation time Last logon time Password change time Login count Account flags (enabled) Group membership Local accounts and groups + .LOG1, .LOG2 NTUSER.DAT %UserProfile% Run/RunOnce (user persist) UserAssist (GUI execution) TypedPaths (address bar) WordWheelQuery (search) RecentDocs (MRU lists) MountPoints2 (drives) ComDlg32 (dialogs) Per-user settings and activity + .LOG1, .LOG2 + ntuser.dat.LOG UsrClass.dat %LocalAppData%\Microsoft ShellBags (folder access) BagMRU (shell items) COM class registration File type handlers Per-user class data and ShellBags + .LOG1, .LOG2

Figure WF0.5 — The five forensically significant registry hive files. SYSTEM, SOFTWARE, and SAM are machine-wide (one copy per system). NTUSER.DAT and UsrClass.dat are per-user (one copy per user profile). Each hive has companion .LOG1 and .LOG2 transaction log files that enable recovery of recently deleted keys and values.

Hive files: where registry data lives on disk

The Windows Registry appears as a single unified tree when viewed through regedit.exe or the Registry Editor, but it is physically stored across multiple hive files on disk. Each hive file is a binary file containing a hierarchy of keys, values, and security descriptors. The hive files are loaded into memory at boot time (SYSTEM, SOFTWARE, SAM, SECURITY) or at user logon (NTUSER.DAT, UsrClass.dat), and the in-memory copy is the active registry. Changes to the registry are written to the in-memory copy and then flushed to disk periodically or at shutdown.

This architecture has two forensic implications. First, the on-disk hive file may be slightly behind the in-memory state — changes made since the last flush are in memory but not yet on disk. For live forensics, this means registry tools that read the hive file directly may miss very recent changes. For dead-box forensics (analyzing a disk image), this is not a concern because the system was shut down (or crashed), and the last flush captured the state.

Second, each hive file has companion transaction log files (.LOG1 and .LOG2) that record pending changes before they are committed to the main hive file. These transaction logs serve a dual forensic purpose: they ensure registry integrity after a crash (NTFS replays the transactions on next boot), and they preserve evidence of recent registry modifications that can be recovered even if the main hive file was subsequently modified. Registry Explorer can apply transaction logs to a hive to reconstruct its most recent state, and it can analyze the logs independently to identify recent modifications.

Expand for Deeper Context

The registry hive binary format is well-documented but complex. Each hive begins with a base block (4096 bytes) containing the hive signature ("regf"), the hive's internal filename, the last write timestamp, the major/minor version, and the root key cell offset. The remainder of the hive is organized into hive bins — 4096-byte-aligned allocation units, each beginning with an "hbin" signature.

Within each hive bin, data is stored in cells. Key cells (key nodes) contain the key name, the last write timestamp, the number of subkeys, the number of values, the parent key reference, the security descriptor reference, and the class name reference. Value cells contain the value name, the data type (REG_SZ, REG_BINARY, REG_DWORD, etc.), and the value data (or a reference to a data cell if the value is larger than a few bytes).

Deleted keys and values are represented by free cells — cells whose size field is positive (allocated cells have negative size fields). Free cells retain their original content until the space is reallocated to a new key or value. This is the mechanism behind deleted registry key recovery: tools like Registry Explorer scan free cells within hive bins for key and value structures that are marked as free but still contain parseable data. The recovery is analogous to MFT deleted file recovery — the metadata persists until the space is reused.

The five hive files an examiner needs

SYSTEM (%SystemRoot%\System32\config\SYSTEM) contains hardware configuration, service definitions, driver registrations, and device history. For forensic examiners, the critical subkeys are: CurrentControlSet\Services (every installed service — persistence mechanism), CurrentControlSet\Enum\USBSTOR (USB device history with device serial numbers), CurrentControlSet\Control\Session Manager\AppCompatCache (Shimcache), CurrentControlSet\Services\bam\State\UserSettings (BAM execution records), MountedDevices (volume mount history), and CurrentControlSet\Control\TimeZoneInformation (system timezone — essential for timestamp interpretation).

Determining the active ControlSet is itself a forensic step. SYSTEM contains multiple ControlSets (ControlSet001, ControlSet002, sometimes ControlSet003). The Select\Current value identifies which ControlSet was active at last boot. The Select\LastKnownGood value identifies the last successfully booted ControlSet. Tools like RECmd and Registry Explorer handle this automatically, but manual analysis requires checking Select\Current first.

SOFTWARE (%SystemRoot%\System32\config\SOFTWARE) contains machine-wide software configuration. Forensically significant subkeys include: Microsoft\Windows\CurrentVersion\Run and RunOnce (machine-wide autostart persistence), Microsoft\Windows\CurrentVersion\Uninstall (installed program inventory with install dates), Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles and Signatures (Wi-Fi network connection history with first/last connected timestamps and SSID), Microsoft\Windows NT\CurrentVersion (OS version, installation date, registered owner), and Classes (COM object registrations — used for COM hijack persistence).

SAM (%SystemRoot%\System32\config\SAM) contains local user account information. Each account record includes the username, the Security Identifier (SID), the account creation timestamp, the last logon timestamp, the last password change timestamp, the login count, and account flags (enabled/disabled, password required, locked out). SAM analysis is essential for account forensics: identifying accounts created during a compromise, detecting accounts that were enabled then disabled (indicating attacker cleanup), and establishing the timeline of account modifications.

NTUSER.DAT (%UserProfile%\NTUSER.DAT) contains per-user settings and activity records. This is the richest source of user activity evidence in the registry. Key forensic locations include: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist (GUI program execution with run count and last run time — values are ROT13 encoded), Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths (paths typed into Explorer's address bar), Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery (Windows search queries), Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs (most recently used documents by file type), Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU (files opened/saved via file dialogs), and Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (mounted drive letters the user interacted with).

UsrClass.dat (%LocalAppData%\Microsoft\Windows\UsrClass.dat) contains per-user class registrations and — most importantly for forensics — the ShellBag data. ShellBags record every folder the user navigated to in Windows Explorer, including folders on network shares, removable media, and ZIP file contents. The ShellBag data is stored under Local Settings\Software\Microsoft\Windows\Shell\BagMRU and Bags keys. UsrClass.dat is often overlooked by examiners who focus on NTUSER.DAT, but for insider threat investigations where folder access history is critical evidence, it is one of the most valuable hive files.

Last write timestamps: scope and limitations

Every registry key has a last write timestamp — a 64-bit Windows FILETIME recording when the key was last modified. This timestamp updates when any value under the key is created, modified, or deleted, and when any subkey is created or deleted. Critically, the timestamp applies to the key, not to individual values. If a key contains 15 values and one value is modified, the key's last write timestamp updates — but there is no way to determine which of the 15 values was the one that changed.

This limitation affects forensic analysis directly. Consider the NTUSER.DAT key Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count. This key contains dozens of values, each representing a different program execution record. The key's last write timestamp tells you when the most recent UserAssist update occurred — not when a specific program was last executed. The individual program execution timestamps are stored within the value data, not in the key's last write timestamp. An examiner who cites the key's last write timestamp as the execution time for a specific program is making an incorrect claim.

The second limitation is that last write timestamps are writable. An application with write access to a registry key can modify the key's last write timestamp by simply writing any value under the key — the act of writing triggers the timestamp update to the current time. An attacker who wants to obscure when they modified a persistence key can write a benign value to the key afterward, updating the last write timestamp to a later time. The original modification time is not preserved.

Decision point

Your KAPE collection includes all five standard hive files (SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT) but the collection operator forgot to include UsrClass.dat from the user's AppData\Local directory. You discover this gap during analysis. The evidence is from a live system that is still available for additional collection, but the system has been in use for 3 days since the initial collection.

Your options: (A) Collect UsrClass.dat now — it's better late than never. ShellBag data is still valuable even if 3 days old. (B) Collect UsrClass.dat now AND check for Volume Shadow Copies that contain a UsrClass.dat snapshot from closer to the incident date. The current UsrClass.dat may have been modified in the 3 days since the incident (new ShellBag entries added, potentially obscuring the investigation-relevant entries). A VSS snapshot from the incident date would contain the ShellBag state at that time.

The correct approach is B. Collect the current hive for completeness, but the VSS snapshot (if available) provides the ShellBag state closest to the incident — before 3 days of additional browsing activity added noise to the data.

Try It — Examine Registry Hive Last Write Timestamps

Open Registry Explorer (Eric Zimmerman's tool) and load the SYSTEM hive from a KAPE collection or from your analysis VM:

1. In Registry Explorer, go to File → Load Hive and select the SYSTEM file. 2. Navigate to ControlSet001\Services. Each service key has a "Last Write Timestamp" shown in the bottom panel. 3. Sort by Last Write Timestamp descending (click the column header). The most recently modified service keys appear at the top. 4. Look for services with very recent last write timestamps — particularly services you don't recognize. A service key modified during a compromise window is a persistence indicator. 5. Now navigate to ControlSet001\Enum\USBSTOR. Each subkey represents a USB device class. Expand a device class to see individual device entries with their serial numbers. The last write timestamp on the device key indicates the last time that USB device was connected.

Forensic exercise: Find the most recently connected USB storage device by examining USBSTOR last write timestamps. Cross-reference the device serial number with MountedDevices to determine which drive letter it was assigned. Then check the user's NTUSER.DAT MountPoints2 key to confirm the user interacted with that drive letter.

Transaction logs and deleted key recovery

Each hive file is accompanied by transaction log files (.LOG1, .LOG2, and sometimes additional .LOG files for NTUSER.DAT). These logs record registry modifications in a journaling format: before a change is committed to the main hive file, it is written to the transaction log. If the system crashes during a write, NTFS replays the transaction log on next boot to bring the hive to a consistent state.

For forensic examiners, transaction logs serve two purposes. First, they can contain modifications that haven't been flushed to the main hive — applying the logs reconstructs the hive's most recent state. Registry Explorer prompts to apply "dirty" pages from transaction logs when loading a hive. Always apply transaction logs unless you specifically need the pre-modification state.

Second, transaction logs can contain evidence of modifications that were subsequently overwritten in the main hive. If an attacker created a persistence key, then deleted it during cleanup, the creation may be recorded in the transaction log even though the main hive no longer contains the key. The recovery window is limited — transaction logs wrap as new transactions are recorded — but for recent modifications (within hours to days), transaction log analysis can reveal registry changes that are no longer visible in the main hive.

Deleted key recovery from hive slack is separate from transaction log recovery. When a key is deleted, its cell is marked as free but its content persists until the space is reallocated. Registry Explorer can recover deleted keys from slack space automatically (shown with a strikethrough or special icon in the key tree). The reliability of recovered data depends on how much time has passed since deletion and how much subsequent registry activity has occurred — high-churn hive files (SOFTWARE, NTUSER.DAT) reallocate deleted cells faster than low-churn files (SAM).

Expand for Deeper Context

Windows 10 introduced the RegBack feature, which created periodic backups of registry hives in %SystemRoot%\System32\config\RegBack. These backups were created by the Registry Backup scheduled task and could contain hive states from days or weeks prior — providing a forensic snapshot of the registry before a compromise. However, starting with Windows 10 version 1803 (April 2018 Update), Microsoft disabled the RegBack feature by default. The RegBack directory may still exist but contain zero-byte files. The examiner should check whether RegBack files have actual content (file size > 0) before relying on them.

For systems where RegBack is disabled, Volume Shadow Copies remain the primary source of historical registry states. If VSS is enabled and snapshots exist, the examiner can extract registry hives from previous snapshots to compare pre-compromise and post-compromise states. This comparison technique is covered in detail in WF8 (Volume Shadow Copies & Deleted Data Recovery).

The Amcache.hve file (%SystemRoot%\appcompat\Programs\Amcache.hve) is technically a registry hive but is covered in WF3 (Execution Artifacts) because its content is program execution evidence rather than configuration data. The SECURITY hive (%SystemRoot%\System32\config\SECURITY) contains security policy data and is rarely analyzed in standard forensic examinations — it is primarily relevant for advanced investigations involving security policy manipulation.

Compliance Myth: "Registry analysis requires specialized forensic tools that only certified examiners can use"

The myth: Registry forensics is a specialized discipline that requires expensive commercial tools (EnCase, FTK, X-Ways) and formal certification (GCFE, EnCE). Standard registry viewers like regedit cannot be used forensically, and the binary hive format is too complex for non-specialists.

The reality: Every tool needed for professional registry forensics is free. Registry Explorer (Eric Zimmerman) parses all hive types, applies transaction logs, recovers deleted keys, decodes encoded values, and exports to multiple formats. RECmd provides command-line batch processing of registry hives with hundreds of pre-built forensic plugins. AppCompatCacheParser, AmcacheParser, and SBECmd parse specialized registry artifacts. RegRipper provides automated forensic analysis with community-maintained plugins. The binary hive format is publicly documented (Windows Internals, Maxim Suhanov's research papers), and all major forensic tools parse it identically. The barrier to registry forensics is not tools or certification — it is knowledge: understanding which keys contain evidence, what the values mean, and how to interpret last write timestamps correctly. That knowledge is what this course provides.

Troubleshooting

"There are thousands of registry keys — how do I know which ones to examine?" You don't examine the entire registry. You examine the keys that are relevant to your investigation type. For persistence analysis: Services, Run/RunOnce, Scheduled Tasks, COM objects, WMI subscriptions. For user activity: UserAssist, TypedPaths, RecentDocs, ShellBags, WordWheelQuery, ComDlg32. For device history: USBSTOR, MountedDevices, MountPoints2. For account forensics: SAM accounts, group membership, logon timestamps. WF7 provides the complete forensic reference for each key. This subsection provides the architectural understanding to interpret what you find.

"The last write timestamp on a service key shows last week, but the incident was three months ago." The last write timestamp updates on any modification to the key or its values. If Windows Update modified a service's ImagePath or Start value last week, the last write timestamp reflects that — not the original service creation time. The original creation time is not explicitly recorded in the registry. You can sometimes infer it from the first $UsnJrnl entry for the hive file that coincides with the key's creation, from the service's executable file creation timestamp in the MFT, or from Event Log records of service installation (System Event ID 7045). Multi-artifact correlation is essential for registry timeline analysis.

"How do I handle registry hives from a live system vs a disk image?" On a live system, hives are locked by the OS — you cannot copy them directly. KAPE handles this using raw disk access to extract locked files. On a disk image, hives are regular files accessible at their standard paths. In both cases, always collect the companion .LOG1 and .LOG2 files alongside each hive — without transaction logs, the hive may be in an inconsistent state that causes parsing errors.

Operational Artifact — Registry Forensic Collection Checklist

System-wide hives (collect from all systems): SYSTEM + SYSTEM.LOG1 + SYSTEM.LOG2 (from %SystemRoot%\System32\config\), SOFTWARE + logs, SAM + logs, SECURITY + logs. Per-user hives (collect for target user accounts): NTUSER.DAT + logs (from %UserProfile%\), UsrClass.dat + logs (from %LocalAppData%\Microsoft\Windows\). Specialized hives: Amcache.hve + logs (from %SystemRoot%\appcompat\Programs\). Historical snapshots: RegBack directory files if present and non-zero (from %SystemRoot%\System32\config\RegBack\). Volume Shadow Copy registry hives if VSS enabled. KAPE target: Use the RegistryHives compound target, which collects all of the above automatically. Verification after collection: Confirm each hive file has non-zero size. Confirm .LOG files are present. Note: NTUSER.DAT and UsrClass.dat exist per user — collect for every user account relevant to the investigation, including administrator accounts that may have been used by the attacker. Document the user profile path to SID mapping from the SAM hive for attribution.

During a ransomware investigation, you examine the SYSTEM registry hive and find a service named "WindowsUpdateSvc" under ControlSet001\Services with ImagePath pointing to C:\Windows\Temp\svchost_update.exe. The service key's last write timestamp is 2026-03-29 10:14:22 UTC. The incident timeline indicates initial compromise on 2026-03-28 and ransomware deployment on 2026-03-30. A colleague argues this service was created on March 29 based on the last write timestamp. What is the correct forensic assessment?
The colleague is correct. The last write timestamp on a service key records when the service was created, so the service was installed on March 29. This fits the incident timeline between initial compromise and ransomware deployment.
The last write timestamp only proves that the key was last modified on March 29 — not that it was created then. The service could have been created earlier (e.g., March 28 during initial compromise) and then modified on March 29 (e.g., the attacker changed the Start type or ImagePath). To determine the actual creation time, corroborate with: System Event Log Event ID 7045 (service installation), the MFT creation timestamp for svchost_update.exe, and the USN Journal entry for the executable's creation. The last write timestamp alone is insufficient to establish creation time.
Registry timestamps are unreliable because they can be modified by any process with write access to the key. The attacker likely backdated the timestamp to obscure when the service was actually created. The examiner should ignore registry timestamps entirely and rely on Event Log timestamps instead.
The service key's last write timestamp is accurate for the service creation because Windows only writes to the Services key during service installation — it does not update the timestamp for subsequent service state changes like starting or stopping. March 29 is definitively the creation date.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the foundations of artifact-level forensic analysis.

WF0 gave you the taxonomy, NTFS architecture, and the five-step methodology. WF1 took you inside the MFT at the binary level — every attribute, every timestamp, every edge case. From here, every artifact category gets the same raw-first treatment.

  • WF2–WF10: every major Windows artifact decoded at binary level — USN Journal, Prefetch, Amcache, Shimcache, ShellBags, LNK, Jump Lists, SRUM, Event Logs, and the Registry hives
  • INC-NE-2026-0915 (WF13) — Insider data exfiltration capstone. Work the complete investigation from USB history to OneDrive exfiltration evidence
  • INC-NE-2026-1022 (WF14) — Ransomware capstone. Three-host triage (FIN01 → IT03 → FS01) across the 72-hour attack chain
  • The lab pack — 25+ realistic evidence files in 10 formats, simulated KAPE triage pre-populated, both capstones deployable to your own VM
  • Anti-forensic detection methodology — defeat timestomping, log clearing, and Prefetch deletion with cross-artifact correlation
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →