Windows Registry
Folder/predefined key | Description |
HKEY_CURRENT_USER | Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile. This key is sometimes abbreviated as "HKCU." |
HKEY_USERS | Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as "HKU." |
HKEY_LOCAL_MACHINE | Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as "HKLM." |
HKEY_CLASSES_ROOT | Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as "HKCR." Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under HKEY_CURRENT_USER\Software\Classes instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under HKEY_LOCAL_MACHINE\Software\Classes. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE\Software\Classes. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE\Software\Classes. |
HKEY_CURRENT_CONFIG | Contains information about the hardware profile that is used by the local computer at system startup. |
Registry Path | File Path |
HKEY_LOCAL_MACHINE\System | %WINDIR%\system32\conf ig\System |
HKEY_LOCAL_MACHINE\SAM | %WINDIR%\system32\config\Sam |
HKEY_LOCAL_MACHINE\Security | %WINDIR%\system32\config\Security |
HKEY_LOCAL_MACHINE\Software | %WINDIR%\system32\config\Software |
HKEY_LOCAL_MACHINE\Hardware | Volatile hive |
HKEY_LOCAL_MACHINE\System\Clone | Volatile hive |
HKEY_USERS\User SID | User profile (NTUSER.DAT); "Documents and Settings\User (changed to "Users\User" on Vista) |
HKEY_USERS\Default | %WINDIR%\system32\config\default |
What | |
Windows install date (click here for converter) | The install date is stored in the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate as UNIX time (32-bit value containing the number of seconds since 1/1/1970). OR in the command box type "systeminfo" |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power of in command (CMD) systeminfo | find /i "Boot Time" | |
Start up locations | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
Windows shutdown time (click here for converter) | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Windows |
USB Devices | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR |
The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM. | %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM. |
Wireless Networks | HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key |
LAN Computers | HKCU\Software\Microsoft\ Windows\CurrentVersion\Explorer\ComputerDescriptions. (Win XP) |
Mounted Devices | HKLM\SYSTEM\MountedDevices |
Windows Search | HKCU\Software\Microsoft\Search Assistant\ACMru |
Installed programs | HKLM\SOFTWARE\Microsoft\Windows\Current\Version\Uninstall |
Mapped network drives | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU |
RunServices and RunServicesOnce | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce |
Winlogon | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
List of common autorun locations: | HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (ProfilePath)\Start Menu\Programs\Startup |
WRITE BLOCK ALL USB DEVICES | HKLM\SYSTEM\CurrentControlSet\Control USB devices can be write-blocked to prevent someone from attaching a device to a live system and performing a malicious act such as uploading a virus or downloading files and intellectual property. The “StorageDevicePolicies” and “WriteProtect” values can be set to “00000001” to turn on USB write protection in this key. If neither of these two values exists, they can be created by the System Administrator or by the user. |
DISABLE USB DRIVES | HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR USB devices can be prevented from operating when attached to a live system by changing the “Start” value from “0x00000003” to “0x00000004” in this key. |
Recent files | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
Typed URLS | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs |
IP Addresses | HKEY_LOCAL_MACHINE\System\Services\CurrentControlSet\services\Tcpip\Parameters\Interfaces |