Automate Windows Seven Registry Forensics Analysis Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- The Windows registry contains valuable information which can be helpful for the forensics analysis. Registry is the core part of Microsoft's Windows XP, Vista and 7 operating systems. Registry contains the basic information like Operating System installed, date when Operating System installed, time zone information, computer owner name and the advanced information such as the software and hardware devices installed on system, storage devices attached to system, services running on system, history of recently used documents and so on, which will help the analyst to decide the way of further analysis of system depending on the its environment. Though it has such valuable information it is very difficult for an analyst to manually search and analyze it to collect evidences because of its complex structure. Windows 7 has become mainstream operating system for users and thus forensics investigator will come across its forensic analysis. So in this paper we presented details of Windows 7 registry, its use for forensic analysis and proposed a tool (RegAnalyzer) which will automate task of windows 7 registry analysis for forensics investigator so he/she can use it for the further investigation of system.


Windows Registry was introduced in Windows 3.1 as a tool for storing OLE (object linking and embedding) settings and to replace .INI files used in previous versions of windows operating systems which have no hierarchy and difficulty to store binary values. Windows 95 and Microsoft Windows NT 3.5 expanded the registry into the configuration database. The same concept of registry is used in that Windows XP, Vista operating system but its complexity has increased much more in its evolution.

Windows operating systems are used by most of the home users and by the organizations for its user friendliness. Launch of Windows 7 has increased this percentage as it is more robust and secure operating system that its previous versions, becoming the mainstream choice of operating system for users. Software used by attackers may leave behind the tracks within the Registry that can help the investigator. So it is important for forensics analyzer to have knowledge of this operating system and its registry. But due to registry's complex structure it is very difficult and time consuming to extract required evidences.

Keeping this need in mind we proposed a tool (RegAnalyzer) which will automate task of windows 7 registry analysis for forensics investigator.

Related Work

A number of researchers have proposed that the Windows registry contains a wealth of information about the configuration and use of a computer. [6, 7] Microsoft's Windows 7 has great impact on computer forensics examinations because of its new features such as encryption of USB devices using BitLocker, biometric authentication and changed structure of registry and location of its related files on disk.[8]

There are several books that describe the structure of versions of the Window Registry, such as the Microsoft Windows Registry Guide (Honeycutt, 2005) and the Windows XP Registry (Kokoreva, 2002). They described the history, the structure and the purpose of the Windows Registry. The description of the structure consists of a description of the logical and physical structures. The description of the logical structure includes analysis of five basic registry keys as they are viewed in basic windows registry editors. The description of the physical structure includes how and where registry hive files are stored in the physical memory.

Carvey said that "Knowing where to look within the registry, and how to interpret what you find, will go a long way towards giving you insight into activity that occurred on the system".

SANS organization has provided information about registry keys that helps getting information about USB devices connected to system.

All of above work will help to get good knowledge of windows registry, its structure and its importance in computer forensics.

Windows Registry

The registry is a system-defined database in which applications and system components store and retrieve configuration data. The data stored in the registry varies according to the version of Microsoft Windows. [1] The Windows registry is a central repository for all information that is required for the settings and configuration of windows system, hardware and users, arranged in an hierarchical structure.

It includes some of following information and much more:

Information about systems environment such as windows installation directory, location of program files & documents folder

Settings of third-party applications installed in the system

Hardware devices attached to the system

List of programs and device drivers that windows load and run on the startup of system

Username and password of the account used for auto login into windows

List of recently executed commands from 'Run' menu, recently opened documents

Thus using the registry forensic investigator can get lot of information about the suspect's machine. In the following sections we will describe the structure of the registry and then some important registry keys and values that will be helpful in investigation.

Registry structure

The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows.

C:\Documents and Settings\Samson\Desktop\Registry Images\Registry-001.png

Figure 1: Windows 7 Registry

The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values. Windows registry supports following three basic data types for registry values:




Registry also contains variations of these basic data types. Different data types are explained below:

REG_BINARY : Contains Binary data i.e. in the form of 0 & 1. E.g. 10001010

REG_EXPAND_SZ : is an expandable data string that permits storing of variables that can be replaced by actual value. For example: %ProgramFiles% will get expanded to "C:\Program Files".

REG_SZ: is used to represent normal string values that are in human readable form

REG_MULTI_SZ: Multiple values are stored as a list using this data type. NULL character is used to separate each value. Two NULL characters are used to specify end of list.

All the keys that ends in '_SZ' are string values

REG_DWORD : It is mostly used to store Boolean values. It is 4byte number.

It can be in Big Endian or Little Endian form. In Big Endian form most significant bytes are stored in the memory first. In Little Endian form least significant bytes are stored first.

Intel architecture uses Little Endian format.

REG_NONE: It is used to represent values with no defined type.

REG_FULL_RESOURCE_DESCRIPTOR: Resource lists required by the physical hardware device is stored in the format of nested array. Plug and Play feature requires values of this data type. We can only see these values but cannot create this type of values using Registry Editor. Example HKLM\HARDWARE\DESCRIPTION \Description

REG_RESOURCE_LIST: It contains a list in which values of data type REG_FULL_RESOURCE_DESCRIPTOR are stored.

REG_RESOURCE_REQUIREMENTS_LIST: Resources required by device are stored in list format using this data type.

REG_LINK: It is used to link key. User cannot create REG_LINK values.

REG_QWORD: Quadruple-word values (64 bits). This type is similar to REG_DWORD but contains 64 bits instead of 32 bits.

It also has two variations like REG_DWORD :



Windows 7 Registry Organization

There are five root keys in Windows 7 registry as shown in Figure 1: Windows 7 Registry. The root keys and their standard abbreviation are given in Table 1: Windows 7 root keys. We will use these abbreviations throughout the paper.


Original Key name











Table 1: Windows 7 root keys

The information contained in five root keys is given below:

HKEY_CLASSES_ROOT: HKCR hive stores the information about the file extensions (used to get information of file type) and applications associated with that file type. It also stores the information of objects that exists in windows 7.

HKEY_CURRENT_USER: HKCU hive contains the user specific information which includes Volatile Environment details, software installed for user, printer settings, network related details and more.

HKEY_LOCAL_MACHINE: HKLM hive stores the hardware and software settings as well as the security settings for the system. [3] This machine specific information directly correlates to the machine the operating system is run on. It includes lists of the drives mounted, hardware present and the generic configuration of installed applications.

HKEY_USERS: HKU is having information about preferences of user. Users are uniquely identified by SID (Security Identifier). If user is deleted and created again with same name, then also it will have different SID. It has configuration information for all system users.

HKEY_CURRENT_CONFIG: HKCC points to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\####, where #### is number starting with 0000. It has information on the current hardware configuration.

In the above five root keys HKLM and HKU has more importance in forensic analysis and only these keys are store on hard disk by windows.

HKCR is having pointer to the subkey HKLM\SOFTWARE\Classes.

HKCC is having pointer to the subkey HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current

HKCU is the pointer to subkey HKU\SID, where SID is the unique id of current user.

Figure 2 illustrates this relation among root keys with their links to subkeys.

C:\Documents and Settings\Samson\Desktop\Registry.png

Figure 2: Relation of root keys with their links to subkeys

Relation of Registry Hives with files on Hard Disk

On the physical hard drive registry is stored as number of files containing part of registry called as hive. A hive consists of one or more Registry keys, subkeys, and settings. Each hive is supported by several files that use the extensions listed in Table:




A complete copy of the hive data.


A log of the changes made to the hive data.

.log, .log2

These files are created during the Windows 7 setup, but remain unchanged as you work with the system.

Table 2: Registry Hives extentions

Following table shows the location of files supporting each registry hive.


Files Location


































Forensic Analysis of Registry

LastWriteTime for registry keys

Like files have attributes to determine the modification time of file, Registry keys also have attribute 'LastWrite' that determines when the registry key is modified. FILETIME structure is used to store this values. Microsoft Knowledge Base describes that this stucture represents the number of 100 nanosecond intervals since January 1, 1601.

Whenever we create new key, modify existing key LastWrite gets updated.

We can obtain LastWrite time of a Registry key, but the value cannot be obtained.

LastWrite time can be used by forensic analyst to create timeline of events like when some command is executed, USB drive has used, etc. It can be treated as a LOG of events when it is related to other file attributes like modified, accessed and created.

Information about Operating System

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName contains the machine name given to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key contains the information about OS name; install date, its digital product id which is related to product key, service pack version, etc. Forensics analyzer can now continue its analysis based on the specific version of operating system.

Two important keys from this part are RegisteredOwner and other one is RegisteredOrganization because most of the applications like Microsoft Office use this information in the file properties when creating document as author.

If the OS install date and LastAccessTime of these keys are same we can say that the computer name i.e. RegisteredOwner and/or and RegisteredOrganization is not modified from the installation of the system.


Information about the time zone settings in the following key:


This information can be extremely important for establishing a timeline of activity on the system. The ActiveTimeBias is listed in minutes.

Network Interfaces

Information about network interfaces, or network interface cards (NICs), is maintained in both the Software and System hive files. Within the Software hive file, the following Registry key contains information about network cards:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\NetworkCards\10

C:\Users\Samson\Desktop\Registry Images\Registry-012.png

Figure 3: Initial OS information from registry

MAC Address

Media Access Control (MAC) address is the address of NIC, which is hardcoded into a NIC. When the Windows operating system needs to determine the MAC address, it will first check a Registry key, and if it cannot find an address it will query the NIC itself. Windows looks for the NetworkAddress value in the following key: HKLM\SYSTEM\ControlSet00x\Control\Class\{4D36E972-E325-11CE-BFC1-


In this Registry key, "000n" is the number of the adapter.

This will help to check whether users had changed or "spoof " their MAC address.

Auto starting programs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run contains information about programs which starts automatically when you log into windows. This location is very important as most of the viruses and worms use this for triggering themselves at each startup.

Recently Executed or Opened files


This key maintains list of files recently executed or opened through Windows Explorer.

RUN Command history


This key maintains a list of entries (e.g. full file path or commands like cmd, regedit, compmgmt.msc) executed using the Start>Run. Using this key and its LastWrite time forensic analyst can approximate the date and time for particular event.

Protected Storage

HKCU\Software\Microsoft\Protected Storage System Provider

Windows Protected Storage is maintained under this key. Protected Storage is a service used by Microsoft products to provide a secure area to store private information. Information that could be stored in Protected Storage includes MSN Explorer and Internet Explorer AutoComplete strings and passwords, Microsoft Outlook and Outlook Express accounts passwords, and MSN Messenger password.

Registry Editor hides these registry keys from users viewing, including administrator. There are tools that allow examiner to view the decrypted Protected Storage on a live system, such as Protected Storage PassView and PStoreView.

Information about USB devices

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR contains information about USB devices connected to system. Figure 5: USB Device History illustrates that.

Information about driver

HKEY LOCAL MACHINE\ System\ControlSet\Enum

The Enum subkey contains information about every driver, device, or service that might potentially be attached to the machine. For example, Enum contains entries for the ATAPI driver even on machines with no ATAPI interface. These keys are used by the system to map devices and services with their drivers and configuration data. Besides, Enum stores information about the external storage devices such as a CD/DVD-ROM drive, a USB drive, or an external hard drive. As the price of storage devices becomes more cheaper, it is a general tendency that most people use high capacity external storage media. If the forensic analyst realize in the initial analyzing process that the suspect have used external storages, the opportunity that the suspect throw away or destroy them will decreases.

C:\Users\Samson\Desktop\Registry Images\Registry-014.png

Figure 4: Auto starting Programs

C:\Users\Samson\Desktop\Registry Images\Registry-016.png

Figure 5: USB Device History

Proposed System

Complex structure of windows 7 registry and lack of single proper documentation produce deterrence of forensics investigator towards windows registry analysis. But registry is a gold mine for evidence collection, which we have presented above in the paper. That inspired us to design a tool for registry analysis.

RegAnalyzer will analyze registry on live windows system. Tool will collect following info in the analysis:

Basic information about windows user like username, its environment settings.

Details of Operating System such as version, Service Pack installed, installation date

Last Write Time of registry key for creating timeline of events

Information about USB devices connected to system

Internet History of user activities

Analyze registry information of most popular applications installed on system like uTorrent, MS Office, Firefox, etc

RegAnalyzer will record time when the registry was modified and also calculate hash of registry keys for maintaining integrity throughout the analysis. RegAnalyzer will log the event perform by it. This tool will have option to generate the report that is used for documenting the analysis. RegAnalyzer will be modular and can be extended by adding new plug-in. This tool will also provide easy GUI to create user plug-ins.

Architecture of regAnalyzer


General Algorithm for processing registry values

C:\Users\Samson\Desktop\Registry Images\RegAnalyzer Algo.png

Pseudo code for processing registry values


iTime = System Installation Time

Ctime = Current System Time


Load plugin()

Read Key mentioned in plugin

Get the Last Write Time (LWT) of the registry key

Calculate the hash of given key along with LWT

If (LWT < iTime OR LWT > Ctime)

Mark the entry as suspicious in report

Include result after analyzing the key in report



Windows 7 which is becoming the main operating system for home and business users. Most of the user are ignorant about the working of the system, therefore leaving footprints of their activity on the system and mainly in the registry. Analyzing that info gives forensic investigator initial information about the system environment and direction for further analysis.

Microsoft does not provide enough information about the registry so it is difficult to refer large documents for registry analysis provided by other researchers. Thus, providing investigator a tool to supplement traditional registry analysis can give investigator an edge in forensic analysis by hiding unrelated information and highlighting the important information from registry.