Registry of Interests Flashcards
What is HKLM\System\CurrentControlSet ?
It is an alias to HKLM\System\ControlSet001 and ControlSet002.
The ControlSet is dynamically generated during the boot process.
The CurrentControlSet can not be found in the registry, when loading the hive files.
How can you verify which ControlSet was last used, without the CurrentControlSet alias key?
HKLM\System\Select
Where can the Time Zone Information be found in the registry ?
HKLM\System\CurrentControlSet\Control\TimeZoneInformation
Where in the registry is more system information available ?
HKLM\Software\Microsoft\WindowNT\CurrentVersion
Where can the Last Shutdown time be found in the registry ?
HKLM\System\CurrentControlSet\Control\Windows\
Shutdowntime contain the timestamp as a 64 bit hex value.
This can be decode with the tool DCode v4.0
Where can traces of installed program’s be found ?
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
- HKLU\Software\
Where can the pagefile settings be found in the registry ?
HKLM\System|CurrentControlSET\Control\Session Manager\MemoryManagement
Where can be found which devices are mounted on the system ?
HKLM\System\MountedDevices
2 types of data:
- short = used for IDE/SCSI drives
- long = used for USB Removeable drives
What is USBSTOR and where is it located?
When a USB storage device is plugged into a computer, Windows assigns it a unique identifier called a device instance ID. This ID is stored in the USBSTOR registry key along with other information about the device.
HKLM\System\CurrentControlSet\Enum\USBSTOR
Where can the First insert date be found in the USBSTOR ?
The USBSTOR stores the dates in different keys called:
- 0064 = First insertion date
- 0065 = Insertion date
- 0066 = Last insertion date
- 0067 = Last removal date
Where else can information about USB timestamps found in the registry ?
HKLM\System\CurrentControlSet\Enum\USB
USBSTOR manufactor product, iserial number
USB iserial number, vendor ID, product ID
Where can the Assigned IP addresses be found on the system?
HKLM\System\CurrentControlSet\Service\TCPip\parameters\interfaces
Where can the Assigned IP addresses be found on the system?
HKLM\System\Microsoft\WindowsNT\CurrentVersion\Networklist\Profiles
Where can User traces be found in the registry ?
What are User Shell folders ? And where are the located ?
User Shell Folders holds all the default user folders such as: Documents, Download etc …
The location of these User Shell Folder can be changed to another disk or encrypted disk.
Highest = HKCU User Shell Folders
= HKCU Shell Folder (default)
= HKLM User Shell Folders
Lowest = HKLM Shell Folder (default)
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Where can the MRU list for the UserAssist be found?
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Where can the MRU list for the RecentDocs be found?
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Where can the MRU list for the MS Office recently opened files be found ?
HKCU\Software\Microsoft\Office\14.0\Word\File
Where can the MRU list for the TypedURLs be found?
HKCU\Software\Microsoft\Microsoft\Internet Explorer\TypedURLs
Where can the MRU list for the TypedURLsTime be found?
HKCU\Software\Microsoft\InternetExplorer\TypedURLsTime
Where can the MRU list for the OpenSaveMRU be found?
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Where can the MRU list for the CIDSizeMRU be found?
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Where can the MRU list for the LastVisitedPidMRU be found?
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Where can the MRU list for the Search Assistants MRU be found?
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Where can the MRU list for the Encrypted Storage be found?
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
