Главная » Linux

The windows registry is stored in

Содержание
  1. What Is the Windows Registry and how to Edit it?
  2. What Is the Windows Registry Used For?
  3. How to access and edit the Windows Registry
  4. How to Backup the Windows Registry
  5. How to import (Restore) a Registry (REG) file
  6. Conclusion
  7. What Is the Windows Registry and how to Edit it?
  8. What Is the Windows Registry Used For?
  9. How to access and edit the Windows Registry
  10. How to Backup the Windows Registry
  11. How to import (Restore) a Registry (REG) file
  12. Conclusion
  13. Andrea Fortuna Just some random thoughts about the Meaning of Life, The Universe, and Everything
  14. Windows registry contains information that are helpful during a forensic analysis
  15. Recent opened Programs/Files/URLs
  16. Start>Run
  17. UserAssist
  18. Recent URLs
  19. Pagefile
  20. Windows Search
  21. Installed programs
  22. Mounted drives
  23. USB Storage
  24. Autorun
  25. RunOnce and RunOnceEx (only Win98/Me)
  26. RunServices and RunServicesOnce
  27. Command Processor Autorun
  28. Winlogon
  29. Services
  30. Debugging
  31. File extensions
  32. Windows Protect Storage

What Is the Windows Registry and how to Edit it?

The Windows Registry, also referred to as just the registry, is a database of configuration settings or information for the Microsoft Windows operating systems. In early Windows versions, configuration settings was stored in .ini files. The Windows Registry was the next evolutionary step in Windows configuration storage. However, many programs, especially portable programs still uses .ini (initialization) files to store configuration information.

What Is the Windows Registry Used For?

In short; the Windows registry is used for storing information and/or settings for software programs, hardware devices, Windows configurations and user preferences. In other words, it is almost like DNA for the Windows Operating System. It goes without saying that Windows will not function without it. So, it is a good idea to make a backup before changing anything.

Almost every time a new program or device driver is installed, new information may be added to the registry. For example; install location, uninstall information, configuration information, etc. As previously mentioned; not all programs use the registry for storing configuration information, some use ini files, while others use XML files.

How to access and edit the Windows Registry

To access and edit the Windows Registry we use a free utility shipped with every Windows version, called the Registry Editor or Regedit for short. To open the Registry Editor; on your keyboard, hold down the Windows key and then press R (Windows+R). This will open the Run dialog. In the Open textbox, type regedit and press Enter or click on the OK button. Furthermore, Regedit can also be run from the Command Prompt or executing the regedit.exe executable from the %Windows% directory.

Actually, the Windows Registry is the collective name for various database files located in the %SystemRoot%\System32\Config\ folder. In Windows XP through Windows 10, these are the SAM , SECURITY , SOFTWARE , SYSTEM , and DEFAULT registry files.

Regedit shows a visual representation of these files as values located within registry keys (folders) within registry hives.

Registry hives are like root folders, each representing certain configuration set. Windows Registry hives are named: HKEY_CLASSES_ROOT , HKEY_CURRENT_USER , HKEY_LOCAL_MACHINE , HKEY_USERS and HKEY_CURRENT_CONFIG . As a result, the registry is presented in a familiar hierarchical structure that makes it easy to find and edit stuff.

Editing a specific value is simple enough; go to the key containing the value you want to edit, and in the right panel double-click on the value to open the value edit dialog. You can also right-click on the value and choose Modify to open this dialog. In the Value textbox, type your the new value and press Enter on your keyboard.

To remove a key or value; right-click on the entry and choose Delete or to rename a entry; choose Rename from the same context menu. Because the Registry is not probed for changes every second, you may need to restart your computer for any changes to take effect.

How to Backup the Windows Registry

As previously mentioned, it is important to backup the Windows Registry before making any changes. To backup the entire registry; open the Registry Editor, in the left panel, right-click on Computer (at the very top) and choose Export. Choose a location to store the backup file, give it a name (like, Full Registry Backup.reg ) and press Save. The Windows Registry will be saved into that REG file.

Читайте также:  Есть ли whatsapp для windows mobile

To backup a specific key; follow the same instructions above, but drill down to the key you’re after and export that.

How to import (Restore) a Registry (REG) file

Restoring a Windows Registry Backup file (REG) file is pretty straight forward; Locate the REG (Backup) file on your computer and double-click it, answer Yes to import it. Remember: you may need to reboot your computer for the setting to take effect.

Conclusion

Hopefully this article gave you some insight into the Windows Registry. It is important to remember: Do not change anything you do not understand. You will render your computer useless if you break the Registry.

What Is the Windows Registry and how to Edit it?

The Windows Registry, also referred to as just the registry, is a database of configuration settings or information for the Microsoft Windows operating systems. In early Windows versions, configuration settings was stored in .ini files. The Windows Registry was the next evolutionary step in Windows configuration storage. However, many programs, especially portable programs still uses .ini (initialization) files to store configuration information.

What Is the Windows Registry Used For?

In short; the Windows registry is used for storing information and/or settings for software programs, hardware devices, Windows configurations and user preferences. In other words, it is almost like DNA for the Windows Operating System. It goes without saying that Windows will not function without it. So, it is a good idea to make a backup before changing anything.

Almost every time a new program or device driver is installed, new information may be added to the registry. For example; install location, uninstall information, configuration information, etc. As previously mentioned; not all programs use the registry for storing configuration information, some use ini files, while others use XML files.

How to access and edit the Windows Registry

To access and edit the Windows Registry we use a free utility shipped with every Windows version, called the Registry Editor or Regedit for short. To open the Registry Editor; on your keyboard, hold down the Windows key and then press R (Windows+R). This will open the Run dialog. In the Open textbox, type regedit and press Enter or click on the OK button. Furthermore, Regedit can also be run from the Command Prompt or executing the regedit.exe executable from the %Windows% directory.

Actually, the Windows Registry is the collective name for various database files located in the %SystemRoot%\System32\Config\ folder. In Windows XP through Windows 10, these are the SAM , SECURITY , SOFTWARE , SYSTEM , and DEFAULT registry files.

Regedit shows a visual representation of these files as values located within registry keys (folders) within registry hives.

Registry hives are like root folders, each representing certain configuration set. Windows Registry hives are named: HKEY_CLASSES_ROOT , HKEY_CURRENT_USER , HKEY_LOCAL_MACHINE , HKEY_USERS and HKEY_CURRENT_CONFIG . As a result, the registry is presented in a familiar hierarchical structure that makes it easy to find and edit stuff.

Editing a specific value is simple enough; go to the key containing the value you want to edit, and in the right panel double-click on the value to open the value edit dialog. You can also right-click on the value and choose Modify to open this dialog. In the Value textbox, type your the new value and press Enter on your keyboard.

To remove a key or value; right-click on the entry and choose Delete or to rename a entry; choose Rename from the same context menu. Because the Registry is not probed for changes every second, you may need to restart your computer for any changes to take effect.

How to Backup the Windows Registry

As previously mentioned, it is important to backup the Windows Registry before making any changes. To backup the entire registry; open the Registry Editor, in the left panel, right-click on Computer (at the very top) and choose Export. Choose a location to store the backup file, give it a name (like, Full Registry Backup.reg ) and press Save. The Windows Registry will be saved into that REG file.

To backup a specific key; follow the same instructions above, but drill down to the key you’re after and export that.

Читайте также:  Раздача ключей для активации windows

How to import (Restore) a Registry (REG) file

Restoring a Windows Registry Backup file (REG) file is pretty straight forward; Locate the REG (Backup) file on your computer and double-click it, answer Yes to import it. Remember: you may need to reboot your computer for the setting to take effect.

Conclusion

Hopefully this article gave you some insight into the Windows Registry. It is important to remember: Do not change anything you do not understand. You will render your computer useless if you break the Registry.

Andrea Fortuna
Just some random thoughts about the Meaning of Life, The Universe, and Everything

Windows registry contains information that are helpful during a forensic analysis

Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process.

Let’s analyze the main keys…

Recent opened Programs/Files/URLs

MRU is the abbreviation for most-recently-used.

This key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes (Open/Save dialog box).
For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser are maintained.

Documents that are opened or saved via Microsoft Office programs are not maintained.

Whenever a new entry is added to OpenSaveMRU key, registry value is created or updated in

This key correlates to the previous OpenSaveMRU key to provide extra information: each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.

The list of files recently opened directly from Windows Explorer are stored into

This key corresponds to %USERPROFILE%Recent (My Recent Documents) and contains local or network files that are recently opened and only the filename in binary form is stored.

Start>Run

The list of entries executed using the Start>Run command in mantained in this key:

If a file is executed via Run command, it will leaves traces in the previous two keys OpenSaveMRU and RecentDocs.

Deleting the subkeys in RunMRU does not remove the history list in Run command box immediately.

By using Windows “Recent Opened Documents” Clear List feature via Control Panel>Taskbar and Start Menu, an attacker can remove the Run command history list.

In fact, executing the Clear List function will remove the following registry keys and their subkeys:

UserAssist

This key contains two GUID subkeys: each subkey maintains a list of system objects such as program, shortcut, and control panel applets that a user has accessed.

Registry values under these subkeys are weakly encrypted using ROT-13 algorithm which basically substitutes a character with another character 13 position away from it in the ASCII table.

Recent URLs

This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar: the key will only show links that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs in IE address bar.

Websites that are accessed via IE Favorites are not recorded, and if the user clears the URL history using Clear History via IE Internet Options menu, this key will be completely removed.

Pagefile

This key maintains the configuration of Windows virtual memory: the paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.

This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns (by default, windows will not clear the paging file).

During a forensic analysis you should check this value before shutting down a suspect computer!

This key contains recent search terms using Windows default search.

There may be up to four subkeys:

  • 5001: Contains list of terms used for the Internet Search Assistant
  • 5603: Contains the list of terms used for the Windows files and folders search
  • 5604: Contains list of terms used in the “word or phrase in a file” search
  • 5647: Contains list of terms used in the “for computers or people” search
Читайте также:  Не найдена панель управления nvidia windows 10 что делать

Installed programs

All programs listed in Control Panel>Add/Remove Programs correspond to one subkey into this key:

Subkeys usually contains these two common registry values:

  • DisplayName — program name
  • UninstallString — application Uninstall component’s file path, which indirectly refers to application installation path

Other possible useful registry values may exist, which include information on install date, install source and application version.

Mounted drives

The list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices is contained into

This key lists any volume that is mounted and assigned a drive letter, including USB storage devices and external DVD/CDROM drives.

From the listed registry values, value’s name that starts with “DosDevices” and ends with the associated drive letter, contains information regarding that particular mounted device.

Similar informations are contained also in

which is located under the respective device GUID subkey and in the binary registry value named Data.

This key is a point of interest during a forensic analysis: the key records shares on remote systems such C$, Temp$, etc.

The existence of ProcDump indicates the dumping of credentials within lsass.exe address space. Sc.exe indicates the adding of persistence such as Run keys or services. The presence of .rar files may indicate data exfiltration.

The history of recent mapped network drives is store into

In addition, permanent subkey (unless manually removed from registry) regarding mapped network drive is also created in

and the subkey is named in the form of ##servername#sharedfolder.

USB Storage

contains addition information about list of mounted USB storage devices, including external memory cards.

When used in conjunction with two previous keys will provide evidential information.

Autorun

There are different keys related to automatic run of programs.

This first key usually contains programs or components paths that are automatically run during system startup without requiring user interaction: malware usually leaves trace in this key to be persistent whenever system reboots.

RunOnce and RunOnceEx (only Win98/Me)

These keys identifies programs that run only once, at startup and can be assigned to a specific user account or to the machine:

RunServices and RunServicesOnce

Can control automatic startup of services.
They can be assigned to a specific user account or to a computer:

Command Processor Autorun

This key contains command that is automatically executed each time cmd.exe is run:

Modification to this key requires administrative privilege.

Usually malware exploits this feature to load itself without user’s knowledge.

Winlogon

This key has a registry value named Shell with default data Explorer.exe.

Malware appends the malware executable file to the default value’s data to stay persistence across system reboots and logins (modification to this key requires administrative privilege).

Services

This key contains list of Windows services:

Each subkey represents a service and contains service’s information such as startup configuration and executable image path.

For more information about malware persistence techniques, please refer to my previous article:

Debugging

This key allows administrator to map an executable filename to a different debugger source, allowing user to debug a program using a different program:

Modification to this key requires administrative privilege.

This feature could be exploited to launch a completely different program under the cover of the initial program.

File extensions

This key contains instruction to execute any .exe extension file:

Normally, this key contains one default value with data “%1” %*, but if the value’s data is changed to something similar to somefilename.exe “%1” %* , investigator should suspect some other hidden program is invoked automatically when the actual .exe file is executed.

Malware normally modify this value to load itself covertly

This technique apply to other similar keys, including:

Windows Protect Storage

Protected Storage is a service used by Microsoft products to provide a secure area to store private information.

Information that could be stored in Protected Storage includes for example Internet Explorer AutoComplete strings and passwords, Microsoft Outlook and Outlook Express accounts’ passwords.

Windows Protected Storage is maintained under this key:

Registry Editor hides these registry keys from users viewing, including administrator.

There are tools that allow examiner to view the decrypted Protected Storage on a live system, such as Protected Storage PassView and PStoreView.

Оцените статью
© 2024 Советы по настройке компьютера