hacktricks/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md

203 lines
11 KiB
Markdown
Raw Normal View History

2022-04-28 23:27:22 +00:00
# Interesting Windows Registry Keys
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
## Interesting Windows Registry Keys
2022-04-28 16:01:33 +00:00
<details>
2023-04-07 08:52:01 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2023-01-02 12:00:18 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 13:25:53 +00:00
## **Windows system info**
2022-04-28 16:01:33 +00:00
2022-05-01 13:25:53 +00:00
### Version
2021-05-13 22:59:50 +00:00
* **`Software\Microsoft\Windows NT\CurrentVersion`**: Windows version, Service Pack, Installation time and the registered owner
2022-05-01 13:25:53 +00:00
### Hostname
2021-05-13 22:59:50 +00:00
* **`System\ControlSet001\Control\ComputerName\ComputerName`**: Hostname
2022-05-01 13:25:53 +00:00
### Timezone
2021-05-13 22:59:50 +00:00
* **`System\ControlSet001\Control\TimeZoneInformation`**: TimeZone
2022-05-01 13:25:53 +00:00
### Last Access Time
2021-05-13 22:59:50 +00:00
* **`System\ControlSet001\Control\Filesystem`**: Last time access (by default it's disabled with `NtfsDisableLastAccessUpdate=1`, if `0`, then, it's enabled).
2021-05-13 22:59:50 +00:00
* To enable it: `fsutil behavior set disablelastaccess 0`
2022-05-01 13:25:53 +00:00
### Shutdown Time
2021-05-13 22:59:50 +00:00
* `System\ControlSet001\Control\Windows`: Shutdown time
* `System\ControlSet001\Control\Watchdog\Display`: Shutdown count (only XP)
2021-05-13 22:59:50 +00:00
2022-05-01 13:25:53 +00:00
### Network Information
2021-05-13 22:59:50 +00:00
* **`System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}`**: Network interfaces
* **`Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed` & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache`**: First and last time a network connection was performed and connections through VPN
* **`Software\Microsoft\WZCSVC\Parameters\Interfaces{GUID}` (for XP) & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles`**: Network type (0x47-wireless, 0x06-cable, 0x17-3G) an category (0-Public, 1-Private/Home, 2-Domain/Work) and last connections
2021-05-13 22:59:50 +00:00
2022-05-01 13:25:53 +00:00
### Shared Folders
2021-05-13 22:59:50 +00:00
2022-04-05 22:24:52 +00:00
* **`System\ControlSet001\Services\lanmanserver\Shares\`**: Share folders and their configurations. If **Client Side Caching** (CSCFLAGS) is enabled, then, a copy of the shared files will be saved in the clients and server in `C:\Windows\CSC`
* CSCFlag=0 -> By default the user needs to indicate the files that he wants to cache
* CSCFlag=16 -> Automatic caching documents. “All files and programs that users open from the shared folder are automatically available offline” with the “optimize for performance" unticked.
2022-04-06 08:57:29 +00:00
* CSCFlag=32 -> Like the previous options by “optimize for performance” is ticked
* CSCFlag=48 -> Cache is disabled.
2021-05-18 23:29:06 +00:00
* CSCFlag=2048: This setting is only on Win 7 & 8 and is the default setting until you disable “Simple file sharing” or use the “advanced” sharing option. It also appears to be the default setting for the “Homegroup”
* CSCFlag=768 -> This setting was only seen on shared Print devices.
2021-05-13 22:59:50 +00:00
2022-05-01 13:25:53 +00:00
### AutoStart programs
2021-05-13 22:59:50 +00:00
2022-04-05 22:24:52 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `Software\Microsoft\Windows\CurrentVersion\Runonce`
* `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`
2021-05-13 22:59:50 +00:00
* `Software\Microsoft\Windows\CurrentVersion\Run`
2022-05-01 13:25:53 +00:00
### Explorer Searches
2021-05-13 22:59:50 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordwheelQuery`: What the user searched for using explorer/helper. The item with `MRU=0` is the last one.
2022-05-01 13:25:53 +00:00
### Typed Paths
2021-05-13 22:59:50 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`: Paths types in the explorer (only W10)
2021-05-13 22:59:50 +00:00
2022-05-01 13:25:53 +00:00
### Recent Docs
2021-05-13 22:59:50 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`: Recent documents opened by the user
* `NTUSER.DAT\Software\Microsoft\Office{Version}{Excel|Word}\FileMRU`:Recent office docs. Versions:
* 14.0 Office 2010
* 12.0 Office 2007
* 11.0 Office 2003
* 10.0 Office X
* `NTUSER.DAT\Software\Microsoft\Office{Version}{Excel|Word} UserMRU\LiveID_###\FileMRU`: Recent office docs. Versions:
* 15.0 office 2013
* 16.0 Office 2016
2022-05-01 13:25:53 +00:00
### MRUs
2021-05-13 22:59:50 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LasVisitedPidlMRU`
Indicates the path from where the executable was executed
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Op enSaveMRU` (XP)
2021-05-13 22:59:50 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Op enSavePidlMRU`
Indicates files opened inside an opened Window
2022-05-01 13:25:53 +00:00
### Last Run Commands
2021-05-13 22:59:50 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMR`
2022-05-01 13:25:53 +00:00
### User AssistKey
2021-05-13 22:59:50 +00:00
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`
The GUID is the id of the application. Data saved:
* Last Run Time
* Run Count
* GUI application name (this contains the abs path and more information)
2021-05-13 22:59:50 +00:00
* Focus time and Focus name
2022-05-01 13:25:53 +00:00
## Shellbags
2021-05-13 22:59:50 +00:00
When you open a directory Windows saves data about how to visualize the directory in the registry. These entries are known as Shellbags.
Explorer Access:
2021-05-13 22:59:50 +00:00
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
Desktop Access:
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
2022-09-18 16:15:52 +00:00
To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) and you will be able to find the\*\* MAC time of the folder **and also the** creation date and modified date of the shellbag which are related to the\*\* first time and the last time\*\* the folder was accessed.
2021-05-13 22:59:50 +00:00
Note 2 things from the following image:
2021-05-13 22:59:50 +00:00
1. We know the **name of the folders of the USB** that was inserted in **E:**
2. We know when the **shellbag was created and modified** and when the folder was created and accessed
![](<../../../.gitbook/assets/image (475).png>)
2022-05-01 13:25:53 +00:00
## USB information
2022-05-01 13:25:53 +00:00
### Device Info
The registry `HKLM\SYSTEM\ControlSet001\Enum\USBSTOR` monitors each USB device that has been connected to the PC.\
Within this registry it's possible to find:
* The manufacturer's name
* The product name and version
* The Device Class ID
* The volume name (in the following images the volume name is the highlighted subkey)
![](<../../../.gitbook/assets/image (477).png>)
![](<../../../.gitbook/assets/image (479) (1).png>)
Moreover, by checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB` and comparing the values of the sub-keys it's possible to find the VID value.
2022-09-02 15:27:38 +00:00
![](<../../../.gitbook/assets/image (478).png>)
With the previous information the registry `SOFTWARE\Microsoft\Windows Portable Devices\Devices` can be used to obtain the **`{GUID}`**:
![](<../../../.gitbook/assets/image (480).png>)
2022-05-01 13:25:53 +00:00
### User that used the device
Having the **{GUID}** of the device it's now possible to **check all the NTUDER.DAT hives of all the users**, searching for the GUID until you find it in one of them (`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2`).
![](<../../../.gitbook/assets/image (481).png>)
2022-05-01 13:25:53 +00:00
### Last mounted
Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Toshiba one (using the tool Registry Explorer).
![](<../../../.gitbook/assets/image (483) (1) (1).png>)
2022-05-01 13:25:53 +00:00
### Volume Serial Number
In `Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt` you can find the volume serial number. **Knowing the volume name and the volume serial number you can correlate the information** from LNK files that uses that information.
Note that when a USB device is formatted:
* A new volume name is created
* A new volume serial number is created
* The physical serial number is kept
2022-05-01 13:25:53 +00:00
### Timestamps
In `System\ControlSet001\Enum\USBSTOR{VEN_PROD_VERSION}{USB serial}\Properties{83da6326-97a6-4088-9453-a1923f573b29}\` you can find the first and last time the device was connected:
* 0064 -- First connection
* 0066 -- Last connection
* 0067 -- Disconnection
![](<../../../.gitbook/assets/image (482).png>)
2022-04-28 16:01:33 +00:00
<details>
2023-04-07 08:52:01 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2023-01-02 12:00:18 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>