Registry

Question 1

What is a registry?

Answer 1

A central hierarchical database used in Windows.

Question 2

How is registry data stored?

Answer 2

5 top level root keys.

Question 3

What is the HKCU?

Answer 3

HKEY_CURRENT_USER

Question 4

What does the HKCU contain?

Answer 4

User information and configuration.

Question 5

What is HKU?

Answer 5

HKEY_USERS

Question 6

What does the HKU contain?

Answer 6

Contains all actively loaded user profiles.

Question 7

What is the HKCR?

Answer 7

HKEY_CLASSES_ROOT

Question 8

What is the HKLM?

Answer 8

HKEY_LOCAL_MACHINE

Question 9

What is the HKCC?

Answer 9

HKEY_CURRENT_CONFIG

Question 10

What is contained in the HKCR?

Answer 10

Maps explorer files -> programs.

Question 11

What is contained in the HKLM?

Answer 11

Computer config for any user.

Question 12

What is contained in the HKCC?

Answer 12

Hardware profile used at startup.

Question 13

What are Registry Hives?

Answer 13

How registry is represented on the file system.

Question 14

Where are the system registry hives?

Answer 14

C:\Windows\System32\Config\

Question 15

What is contained in the system registry hives?

Answer 15

DEFAULT
SAM
SECURITY
SOFTWARE
SYSTEM

Question 16

Where are the user registry hives?

Answer 16

C:\Users<username>\NTUSER.dat

and

C:\Users<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Question 17

DEFAULT hive

Answer 17

Template for new user hives.

Question 18

SAM

Answer 18

Store windows user passwords

Question 19

SECURITY

Answer 19

Info about the domain that the machine is attached to.

Question 20

SOFTWARE

Answer 20

Software and Windows settings. Good place to check for Malware.

Question 21

SYSTEM

Answer 21

System config. Currently mounted drives.

Question 22

NTUSER.dat

Answer 22

User settings. Program execution or file/folder usage.

Question 23

UsrClass.dat

Answer 23

More NTUSER stuff.

Question 24

LOG1/LOG2

Answer 24

Rewind logs.

Question 25

What are the differences between hives and top level keys?

Answer 25

Keys are data inside of the hives. Hives are how registries are represented on the file system.

Question 26

What is the most valuable registry key?

Answer 26

HKEY_LOCAL_MACHINE

Question 27

What is an ASEP?

Answer 27

Autostart extension points.

Question 28

What is contained in ASEPs?

Answer 28

What to start on the computer at bootup?

Question 29

What is Run vs RunOnce?

Answer 29

Run runs every time the user logs on. RunOnce runs one time, then is deleted.

Question 30

What is the difference between targets and modules in KAPE?

Answer 30

Targets - Collection points Modules - what to do with the data.

Question 31

Where is OS Version stored?

Answer 31

SOFTWARE\MicrosoftWindows NT\CurrentVersion

Question 32

Where are autostart programs stored?

Answer 32

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\(Run/RunOnce) or SOFTWARE\Microsoft\Windows\CurrentVersion\(Run/RunOnce) SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Question 33

Where are SAM/User information?

Answer 33

SAM\Domains\Account\Users

Question 34

Recent files?

Answer 34

NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\RecentDocs

Question 35

Address/Search Bars location?

Answer 35

NTUSER.DAT (TypedPaths/WordWheelQuery)

Question 36

External USB/Device identification?

Answer 36

USBSTOR or USB

Question 37

USB First/Last Times

Answer 37

USBSerial\Properties

Question 38

Evidence of Execution

Answer 38

NTUSER.DAT\Software\...\UserAssist\{GUID}\Count

Question 39

What two root keys are most valuable?

Answer 39

HKLM and HKCU

Question 40

What tool can build a clean hive from dirty hive?

Answer 40

Registry Explorer

Question 41

Where are RunOnce ASEPs held?

Answer 41

HKCU and HKLM in CurrentVersion\RunOnce