Windows Registry Hive

Question 1

Name the 2 type of hives.

Answer 1

• System Hive
• User Hive

Question 2

What is a hive

Answer 2

A binary file that contains a registry tree including:
- keys
- subkeys
- values

Question 3

Where do System and User hive relates to?

Answer 3

• System –> HKLM (HKEY_LOCAL_MACHINE)
• User –> HKU (HKEY_USERS)

Question 4

What is HKEY?

Answer 4

It stands for Handle to Key or HK.
The logical section, Root keys beginning with it.

Question 5

What is the supporting file for HKLM\SAM ?

Answer 5

sam, sam.log, sam.log1, sam.log2, blf.
(SAM = Security Account Manager)

Question 6

What is the supporting file for HKLM\SECURITY ?

Answer 6

security, security.log

Question 7

What is supporting file for HKLM\SOFTWARE ?

Answer 7

software, software.log, software.log1

Question 8

What is supporting file for HKLM\SYSTEM ?

Answer 8

system, system.log, system.log1

Question 9

What is the supporting file for HK_CURRENT_CONFIG ?

Answer 9

system, system.log, system.log1

Question 10

Where can the “system” hive files be found?

Answer 10

C:\Windows\System32\config

Question 11

Where can the “user” hive files be found?

Answer 11

HKU\.DEFAULT (C:\Windows\System32\config)
HKU\SID (C:\Users\john\NTUSER.DAT)
HKU\SID_CLASSES (C:\Users\john\AppData\Local\Microsoft\Windows\UsrClass.DAT)