Forensicsmatter.com: Registry Hives

Home

About Us

Downloads

FAQ

Registry Hives

..................................................................................................................................................

The following registry keys are extracted and reported on by OnScene LHF. Many of these registry keys are a source of valuable evidence during computer forensic investigations.

OnScene LHF will allow you to add your own registry keys. This can be useful for software licensing audits.

Registry Location:

HKCU

Key Location:

\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

Description:

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Description:

Replaces the use of the "load=" line in Win.ini

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

Description:

Replaces the use of the "load=" line in Win.ini

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Policies\Microsoft\Windows\System\Scripts\

Description:

Points to scripts for various events (ie, logon, logoff, shutdown, etc.); Usually handled via GPOs, but can also be configured via local security policies

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Software\Policies\Microsoft\Windows\System\Scripts

Description:

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

Description:

Can specify an alternate user shell

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

Description:

Contains a list of approved shell extensions.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Description:

DLLs specified within this key are loaded whenever a Windows-based (GUI) application is launched.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

Description:

This entry can be subverted to load an alternate GINA, capable of capturing the user's login information in plain text (ie, FakeGINA.DLL from NTSecurity.nu). This is loaded and used by WinLogon.exe.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Description:

Indicates executable files launched by Userinit.exe and expected at user shell startup.

..................................................................................................................................................

Triage LHF module reports on this key

194 Registry Hives: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [ view all ]