Listen to this Post

Introduction:
The Windows Registry is far more than a system configuration database—it’s a silent witness to nearly every user and system action on a Windows machine. While many incident responders first turn to event logs, seasoned forensic analysts know that the Registry often holds the most granular, tamper-resistant evidence of executed programs, connected devices, user searches, and persistence mechanisms. This article transforms the Registry into a forensic timeline, revealing how to extract and correlate artifacts that answer critical DFIR questions.
Learning Objectives:
- Identify and locate the core Registry hives (SAM, SECURITY, SOFTWARE, SYSTEM, NTUSER.DAT, USRCLASS.DAT) both live and offline.
- Extract and analyze key execution artifacts (UserAssist, ShimCache, AmCache, BAM/DAM) to reconstruct program launches and last-run times.
- Leverage USBSTOR, ShellBags, and typed path artifacts to track device connections, folder navigation, and user search behavior.
You Should Know:
- Hive Mapping & Offline Acquisition – Where the Evidence Lives
Understanding where each hive resides is foundational. On a live system, hives are loaded in memory and locked, but on a disk image or offline drive, you can copy them directly. The SYSTEM hive (C:\Windows\System32\config\SYSTEM) holds system-wide settings, while SAM stores local user account hashes. NTUSER.DAT lives inside each user’s profile (C:\Users\\NTUSER.DAT), and USRCLASS.DAT is in AppData\Local\Microsoft\Windows\UsrClass.dat.
Step‑by‑step offline extraction (Windows):
- Boot from a live forensic USB or mount the suspect drive as read-only.
- Navigate to `C:\Windows\System32\config` and copy SYSTEM, SAM, SECURITY, SOFTWARE, COMPONENTS.
- Copy each user’s NTUSER.DAT from their profile folder and USRCLASS.DAT from AppData\Local\Microsoft\Windows.
- Use `reg.exe save` on a live system to avoid lock errors:
reg save HKLM\SYSTEM C:\forensics\SYSTEM.hive reg save HKLM\SAM C:\forensics\SAM.hive
Linux command to mount and access hives (using libregf tools):
sudo apt install libregf-tools regexport /mnt/evidence/Windows/System32/config/SOFTWARE > software.txt
2. Execution Artifacts – UserAssist, ShimCache, AmCache, BAM/DAM
No single artifact tells the whole execution story. UserAssist (under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist) tracks programs launched via Explorer, including GUI applications. ShimCache (AppCompatCache) records program execution for compatibility purposes and can survive deletion. AmCache (C:\Windows\appcompat\Programs\Amcache.hve) provides SHA1 hashes and full paths. BAM/DAM (HKLM\SYSTEM\CurrentControlSet\Services\bam and dam) logs last execution times for all users.
PowerShell command to decode UserAssist ROT13 encoding:
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\" | Select-Object -ExpandProperty | ForEach-Object {
if ($_ -match "[\x00-\x1f]") { $decoded = [System.Text.Encoding]::ASCII.GetString([System.Text.Encoding]::GetEncoding(1252).GetBytes($_)) }
Write-Output $decoded
}
Extracting ShimCache using RegRipper:
rip.exe -r SYSTEM.hive -p appcompatcache > shimcache.txt
AmCache analysis with AmcacheParser (Eric Zimmerman tools):
AmcacheParser.exe -f Amcache.hve -o amcache_output.csv
- User Activity Traces – RecentDocs, Office MRUs, TypedPaths, WordWheelQuery
These artifacts reconstruct what a user opened, searched, and typed. RecentDocs (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs) stores recently opened files with extension-based bins. TypedPaths (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths) captures paths manually entered into Explorer. WordWheelQuery (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery) logs search terms typed in File Explorer.
Step‑by‑step extraction using Registry Explorer:
1. Load NTUSER.DAT from the target user.
- Navigate to `RecentDocs` – export the binary data as CSV.
- Check `TypedPaths` – it’s a simple list of `url` values.
- Decode WordWheelQuery (stored as REG_BINARY) using a tool like `strings` or
recbin:strings -n 8 NTUSER.DAT | findstr /i "search"
-
ShellBags – Reconstructing Folder Navigation & Network Browsing
ShellBags record folder views, sizes, and even whether the user browsed network shares or FTP sites. They persist across system reinstalls if the user profile is preserved. Located under `HKCU\Software\Microsoft\Windows\Shell\BagMRU` andBags.
Using ShellBags Explorer (Zimmerman tool):
ShellBagsExplorer.exe -d "C:\Users\<username>\NTUSER.DAT" -o shellbags_output.csv
Manual recovery with reg query:
reg query "HKCU\Software\Microsoft\Windows\Shell\BagMRU" /s
Look for subkeys with numeric names – each represents a folder. The `0` subkey often contains the last visited folder.
- USB Forensics – USBSTOR, USB, and Portable Devices
USB device connection evidence is still a goldmine for exfiltration cases. The `USBSTOR` key (HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR) stores device serial numbers, vendor IDs, product strings, and first/last connection times. The `USB` key (HKLM\SYSTEM\CurrentControlSet\Enum\USB) tracks hub connections, and `Portable Devices` (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PortableDevices) logs MTP devices.
PowerShell script to extract USB history from SYSTEM hive:
$hive = "C:\forensics\SYSTEM.hive"
reg load HKLM\OfflineSystem $hive
Get-ChildItem "HKLM:\OfflineSystem\CurrentControlSet\Enum\USBSTOR" -Recurse | ForEach-Object {
$device = $_.PSPath
$friendly = (Get-ItemProperty $device).FriendlyName
$first = (Get-ItemProperty $device)."First Install Date"
Write-Output "$friendly - First installed: $first"
}
reg unload HKLM\OfflineSystem
- Persistence Mechanisms – Autoruns, Services, and Run Keys
Attackers love Registry persistence. CheckHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,RunOnce, and the same underHKCU. Also inspect `Services` (HKLM\SYSTEM\CurrentControlSet\Services) for malicious drivers or service DLLs.
Using Autoruns (Sysinternals) with Registry target:
autoruns.exe -a -r -c -h -s -v -vt -accepteula -o autoruns.csv
The `-r` flag limits output to Registry entries.
Manual reg query for common persistence locations:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKLM\SYSTEM\CurrentControlSet\Services /s /f "ImagePath" /t REG_EXPAND_SZ
- Tool Selection & Workflow – KAPE, RegRipper, and Registry Explorer
Efficient triage requires the right toolchain. KAPE (Kroll Artifact Parser and Extractor) can target Registry hives and run simultaneous modules. RegRipper is ideal for artifact-specific extraction. Registry Explorer (Zimmerman) handles transaction logs and unallocated space.
Step‑by‑step KAPE Registry triage:
1. Download KAPE and its modules (from kroll.com).
2. Run target acquisition:
kape.exe --tsource D:\ --tdest C:\case001 --target RegistryHives
3. Run extraction modules:
kape.exe --msource C:\case001 --mdest C:\case001\output --module RegistryExplorer,AmcacheParser,UsnJrnl
4. Review output CSV files in Timeline Explorer.
Why transaction logs matter: Registry transaction logs (.LOG1/.LOG2) and .REGTRANS-MS files can contain data that was never fully written to the hive. Registry Explorer automatically merges them.
What Undercode Say:
- Combine, don’t isolate: UserAssist shows GUI launches; ShimCache catches command-line executions; AmCache adds hash validation. Missing one can lead to false negatives.
- USBSTOR remains underutilized – many analysts stop at event ID 2003, but Registry USB artifacts survive log clearing and provide granular device details.
- ShellBags are a blue‑team blind spot – they reveal folder access even when the user deleted files or cleared recent documents. Pair with LNK files for stronger timelines.
- Toolchain automation (KAPE + RegRipper + Zimmerman tools) is the difference between a 2‑hour manual hunt and a 5‑minute automated extraction.
Prediction:
As EDRs and SIEMs grow better at detecting event log tampering, attackers will increasingly manipulate Registry artifacts to erase execution traces. However, the distributed nature of Registry hives (multiple per user, transaction logs, and backup copies) makes complete wiping nearly impossible. Future DFIR tools will incorporate machine learning to detect anomalous Registry modifications and automatically reconstruct deleted keys from transaction logs. Expect cloud‑based Registry analysis to become standard, where hives are parsed remotely without mounting, reducing evidence tampering risks. For blue teams, mastering Registry forensics will be as critical as memory analysis within two years.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Yildizokan Windows – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


