Windows Registry

Gunters' site

Quod non est in actis non est in mundo

Folder/predefined key

Description

HKEY_CURRENT_USER

Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile. This key is sometimes abbreviated as "HKCU."

HKEY_USERS

Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as "HKU."

HKEY_LOCAL_MACHINE

Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as "HKLM."

HKEY_CLASSES_ROOT

Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as "HKCR." Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under HKEY_CURRENT_USER\Software\Classes instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under HKEY_LOCAL_MACHINE\Software\Classes. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE\Software\Classes. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE\Software\Classes.

HKEY_CURRENT_CONFIG

Contains information about the hardware profile that is used by the local computer at system startup.

Registry Path

File Path

HKEY_LOCAL_MACHINE\System

%WINDIR%\system32\conf ig\System

HKEY_LOCAL_MACHINE\SAM

%WINDIR%\system32\config\Sam

HKEY_LOCAL_MACHINE\Security

%WINDIR%\system32\config\Security

HKEY_LOCAL_MACHINE\Software

%WINDIR%\system32\config\Software

HKEY_LOCAL_MACHINE\Hardware

Volatile hive

HKEY_LOCAL_MACHINE\System\Clone

Volatile hive

HKEY_USERS\User SID

User profile (NTUSER.DAT); "Documents and Settings\User (changed to "Users\User" on Vista)

HKEY_USERS\Default

%WINDIR%\system32\config\default

What


Windows install date  (click here for converter)

The install date is stored in the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate as UNIX time (32-bit value containing the number of seconds since 1/1/1970).

OR in the command box type "systeminfo"

Windows start (boot) time


zie ook https://en.wikipedia.org/wiki/Uptime

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power


of in command (CMD)       systeminfo | find /i "Boot Time"

Start up locations

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Windows shutdown time  (click here for converter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Windows

USB Devices

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR

The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

%SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

Wireless Networks

HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key

LAN Computers

HKCU\Software\Microsoft\ Windows\CurrentVersion\Explorer\ComputerDescriptions.   (Win XP)

Mounted Devices

HKLM\SYSTEM\MountedDevices

Windows Search

HKCU\Software\Microsoft\Search Assistant\ACMru

Installed programs

HKLM\SOFTWARE\Microsoft\Windows\Current\Version\Uninstall

Mapped network drives

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

RunServices and RunServicesOnce

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce

Winlogon

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

List of common autorun locations:

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

(ProfilePath)\Start Menu\Programs\Startup

WRITE BLOCK ALL USB DEVICES

HKLM\SYSTEM\CurrentControlSet\Control USB devices can be write-blocked to prevent someone from attaching a device to a live system and performing a malicious act such as uploading a virus or downloading files and intellectual property. The “StorageDevicePolicies” and “WriteProtect” values can be set to “00000001” to turn on USB write protection in this key. If neither of these two values exists, they can be created by the System Administrator or by the user.

DISABLE USB DRIVES

HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR USB devices can be prevented from operating when attached to a live system by changing the “Start” value from “0x00000003” to “0x00000004” in this key.

Recent files

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Typed URLS

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

IP Addresses

HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\Parameters\Interfaces