Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Forensic Artifacts
›
windows-registry
Windows-Registry
Forensic Artifacts
Definition
The Windows Registry is a centralized hierarchical database that stores configuration settings for the operating system, software, hardware, and users. Organized into **keys**, **subkeys**, and **values**, it's where Windows keeps track of almost everything like boot config, installed software, user preferences, services, and more. ### **Root Keys** | Root Key | Short Form | What It Stores | |---|---|---| | `HKEY_LOCAL_MACHINE` | `HKLM` | System-wide config — OS, hardware, services, drivers | | `HKEY_CURRENT_USER` | `HKCU` | Current user's activity and preferences | | `HKEY_USERS` | `HKU` | All loaded user profiles on the system | | `HKEY_CLASSES_ROOT` | `HKCR` | File associations and COM object registration | | `HKEY_CURRENT_CONFIG` | `HKCC` | Hardware profile at boot — rarely relevant in investigations | `HKCU` is a shortcut and it maps directly to the active user's subkey under `HKU`. ### **Registry Hive Files on Disk** The registry is backed by physical files called **hive files**. These are what analysts collect and parse during triage. **System hives** — located in `C:\Windows\System32\config\` | File | Maps To | Contains | |---|---|---| | `SYSTEM` | `HKLM\SYSTEM` | Services, drivers, boot config, timezone, network interfaces | | `SOFTWARE` | `HKLM\SOFTWARE` | Installed apps, OS settings, autostart/run key entries | | `SAM` | `HKLM\SAM` | Local accounts and password hashes (locked while OS runs) | | `SECURITY` | `HKLM\SECURITY` | Security policy, LSA secrets, cached domain credentials | | `DEFAULT` | `HKU\.DEFAULT` | Default profile applied before any user logs on | **User hives** — unique per user account | File | Location | Contains | |---|---|---| | `NTUSER.DAT` | `C:\Users\<username>\` | Run keys, recent files, typed paths, software preferences | | `UsrClass.dat` | `C:\Users\<username>\AppData\Local\Microsoft\Windows\` | Shell settings, file associations, Shellbags | `NTUSER.DAT` and `UsrClass.dat` are the two hives that matter most when investigating what a specific user did on a machine.
Related Terms
Artifacts
Examples & Use Cases
**Persistence via Run key** — Malware writes itself to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, surviving every reboot until someone finds and removes the entry. Lives inside `NTUSER.DAT`. **Service installation** — A malicious service registered under `HKLM\SYSTEM\CurrentControlSet\Services\` with an unusual binary path pointing to a temp directory. High-fidelity persistence IOC visible in the `SYSTEM` hive. **Credential theft targeting SAM and SECURITY** — Attackers use `reg save` to dump these hives offline, then extract local account hashes and LSA secrets without ever touching LSASS directly.