Windows Registry: Files, Interface & Settings

Questions and Answers

How do Security Policies impact system time zone settings compared to user configurations?

• Security policies and user configurations merge to create a hybrid setting.
• Either a user or a security policy can configure time zone settings. (correct)
• Security policies dictate time zone settings, overriding user preferences entirely.
• User configurations are always prioritized, with Security Policies only applying default settings if no user preference is specified.

What is the primary role of the Security Accounts Manager (SAM) in user account management?

• Assigning temporary passwords for user authentication.
• Controlling user access permissions to specific files.
• Storing user account names and unique Relative Identifiers (RIDs). (correct)
• Managing user group memberships exclusively.

Which component of a Security Identifier (SID) ensures its uniqueness across different systems?

• The Relative Identifier (RID) component.
• The combination of the Issuing Authority, Machine Identifier, and RID components. (correct)
• The Machine Identifier component.
• The Issuing Authority component.

In Windows systems, which registry file contains user-specific settings, such as desktop appearance and application preferences?

NTUSER.DAT (D)

How does the SAM file correlate user account names with their respective security privileges and access rights?

Through the use of a unique Security Identifier (SID) that links to a user's profile. (C)

Which of the following best describes the primary function of the Windows Registry?

To serve as a central hierarchical database for system and application configuration settings (A)

What specific type of information is stored within the 'Classes' subkey under the Software registry hive?

File extension associations. (C)

How does the Windows Registry persist data between system boot sessions?

It stores data in hive files on the hard drive (C)

Where in the registry can you typically find detailed information about the specific version of the operating system?

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion (C)

A forensic investigator is examining a Windows system and needs to determine if Daylight Saving Time (DST) was ever enabled on the system. Which Registry key provides the most direct evidence of this?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation (D)

What is the primary purpose of the NTUSER.DAT file in the context of Windows registry?

Maintains user-specific settings and activity data. (C)

Which of the following artifacts, found within NTUSER.DAT, would provide insights into a user's web browsing habits?

Typed URLs. (D)

An analyst is reviewing a system infected with malware. The malware created a Run key to automatically execute upon system startup. In which Registry hive is this Run key most likely located?

SOFTWARE (A)

In Registry Viewer, what is the primary function of the Hex Viewer?

To show the raw binary data of selected Registry values. (B)

If a user frequently uses a particular search engine, where would evidence of this activity most likely be found within their NTUSER.DAT file?

In the internet search queries and form data. (B)

Which registry component stores the list of recently accessed files, documents, or applications by a user?

MRUs (C)

In the context of Windows Registry analysis, what is the significance of Most Recently Used (MRU) lists?

They maintain a record of the files and programs accessed by a user. (A)

A security analyst suspects that a user's machine has been compromised. The analyst wants to check the user's recently typed URLs. Where would this information be found within the Registry?

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (A)

After imaging a suspect's computer, you load the Registry files into Registry Viewer. However, the timestamps for various keys appear incorrect. What is the most likely cause of this discrepancy?

The time zone settings in Registry Viewer are not correctly configured. (C)

In a post-Windows 8 system, how many Control Sets are typically present in the SYSTEM hive of the Windows Registry?

One (C)

Flashcards

Time Zone Settings

Time zone settings on a system, configurable by users or security policies.

SAM File

Security Accounts Manager file; stores user account names and unique Relative ID (RID).

Security Identifier (SID)

Unique identifier for users which include the Issuing Authority, Machine Identifier, and Relative Identifier(RID).

Software Registry Key

Stores information about software installed on the computer, per-user settings, and file extension associations.

OS Version Path

Location in the registry where OS version information can be found.

NTUSER.DAT

This file contains lots of information about what a specific user did on the computer.

Most Recently Used (MRUs)

Stored in NTUSER.DAT, these lists contain typed URLs, search queries, recent documents, etc.

OS Information

Operating System information is stored in \WindowsNT\CurrentVersion

RID

Relative ID; a unique number given to each User.

Classes Subkey

Stores file extension associations.

What is the Registry?

A central, hierarchical database that stores configuration information for the system, users, applications, and hardware devices.

DOS Registry files

Autoexec.bat (user configurations) and Config.sys (hardware settings).

Windows XP-10 Registry Files

SAM, Software, System, Security, and NTUSER.DAT.

MRUs

Most Recently Used files.

Registry Purpose

Store per-computer and per-user settings.

Computer Registry Files

SAM, SOFTWARE, SYSTEM, and SECURITY.

User Registry File

NTUSER.DAT

Value Pane

Displays the values associated with a selected key.

Key Tree Pane

Contains the key tree, allowing navigation of the registry structure.

Time Zone Registry Key

CurrentControlSet\Control\TimeZoneInformation in the System registry hive.

Study Notes

Module Objectives

• Describes registry files, viewer interface, key features, basic reporting, time zone settings, user SIDs, OS versions, and user artifacts

What is the Registry?

• Microsoft describes it as a central hierarchical database used to store information necessary to configure the system for users, applications, and hardware devices
• The registry is system-wide storage for computer and user settings
• The registry stores date and time settings as a log
• The registry exists only when booted up
• On shutdown, this information is stored in hive files

Registry History

• DOS used two files, Autoexec.bat for user configurations, and Config.sys for hardware settings
• Windows 3.x used .ini files
• Windows 9.x used System.dat and User.dat
• Windows XP-10 uses SAM, System, Software, Security, and NTUSER files

Benefits of the Registry

• Records MRUs, Typed URLs, System users
• Stores information about installed devices, system time settings, registered user information
• Stores passwords, password hashes, internet search queries, form data
• Records date and time of registry key updates
• Useful for identifying network and wireless settings and connections

Registry Files - Computer

• The SAM file stores Local User Account information
• The SOFTWARE file tracks installed applications and their settings
• The SYSTEM file contains system-specific settings, hardware configurations, and drivers
• The SECURITY file manages security policies, user rights, and access control
• The files are within \systemroot\system32\config

Registry Files - User

• NTUSER.DAT contains user-specific settings and data for each user profile, located in \Users\username\

Registry Viewer

• Registry files can be exported from Imager and added to RV

Registry Viewer Interface

• The Interface displays the menu bar, toolbar, key tree pane, properties pane, value pane, and status bar
• Displays hives, keys/subkeys, values, and a hex viewer for values

Adding Keys to Reports

• Keys in the registry viewer can be added reports

Generating a Report

• Reports can be generated by pressing (CTRL + G)
• Reduce excess data output, show key properties only, show DWORD values as timestamps, and view report when created can also be configured

Reloading A Report

• Reload reports by pressing (CTRL + L)

System - Select Key

• Pre Windows 8 has two control sets, 001 and 002
• Post Windows 8 has one Control Set

System - Time Zone Settings

• Settings can be found under Current Control Set\Control\TimeZoneInformation
• Important to determine whether DST was in use at all, not if it was in effect at the time of seizure

Security Accounts Manager

• When a User account is created, the User account name is created in the SAM file
• Each User is given a unique RID number

SAM - Security Identifier

• SIDs are unique
• Composed of Issuing Authority, Machine ID, Relative Identifier (RID)

SAM - User Information

• User information can be found under SAM\SAM\Domains\Account\Users

Software

• Stores information about software installed on the computer
• Stores per user computer settings for all users
• Stores file extension associations in the Classes subkey
• User and operating system information are stored in \WindowsNT\CurrentVersion

Software - OS Version

• Tracks version of the operating system under Microsoft\WindowsNT\CurrentVersion

NTUSER

• Stores user activity, MRUs, typed URLs, internet search queries, form data
• Keeps track of recent documents, internet explorer start page

Description

Explore the Windows Registry as a central database for system configuration. Learn about its files, viewer interface, and key features. Understand how it stores user and system settings, including time zones and OS versions.