The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look in \Windows\System32\config and \Users\<profile>\NTUSER.DAT. The long answer is… well… longer.
First thing to understand is that the Registry is complicated beast. Once processed, loaded into memory, and THEN presented to the user, it has five (5) root hives. According to legend, they are called “hives” because one of the original developers of Windows NT hated bees, so the developer responsible for the Registry snuck in as many bee references as he could. Three of those hives do not have corresponding files on disk, but rather are the Registry equivalent of a symlink that points to another part of the Registry. The HARDWARE hive is dynamically created as the system detects and interacts with the hardware. The two remaining hives are the most important to us and are comprised of several files that are combined to make the tree whole. The layout is like this:
| Registry hive | Source file or location |
| HKEY_CLASSES_ROOT | Merger of HKLM\SOFTWARE\Classes and HKCU\Software\Classes |
| HKEY_CURRENT_USER | ->HKU\<sid>\ |
| HKEY_LOCAL_MACHINE\BCD00000000 | \Boot\BCD |
| HKEY_LOCAL_MACHINE\HARDWARE | dynamically created |
| HKEY_LOCAL_MACHINE\SAM | %windir%\System32\config\SAM |
| HKEY_LOCAL_MACHINE\SECURITY | %windir%\System32\config\SECURITY |
| HKEY_LOCAL_MACHINE\SOFTWARE | %windir%\System32\config\SOFTWARE |
| HKEY_LOCAL_MACHINE\SYSTEM | %windir%\System32\config\SYSTEM |
| HKEY_USERS\.DEFAULT | %windir%\System32\config\DEFAULT |
| HKEY_USERS\S-1-5-18 | %windir%\System32\config\systemprofile\NTUSER.DAT |
| HKEY_USERS\S-1-5-19 | %windir%\ServiceProfiles\LocalService\NTUSER.DAT |
| HKEY_USERS\S-1-5-20 | %windir%\ServiceProfiles\NetworkService\NTUSER.DAT |
| HKEY_USERS\S-1-5-21-…-1000 | %userprofile%\NTUSER.DAT |
| HKEY_USERS\S-1-5-21-…-1000_Classes | %userprofile%\AppData\Local\Microsoft\Windows\UsrClass.dat |
| HKEY_CURRENT_CONFIG | ->HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\ |
Reading the contents of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist will help locate many of these files.
When you go track down these files on disk, you may find multiple files with the name of interest. The one with no extension is the important one. The uses for the others are as follows.
| Extension | Description |
| none | A complete copy of the hive data. |
| .alt | A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file. |
| .log | A transaction log of changes to the keys and value entries in the hive. There are frequently multiples of these. |
| .sav | A backup copy of a hive. |
Looking through the HKEY_USERS hive, you will find each points to a different NTUSER.DAT file. They are named from the Security Identifier (SID) of the various users on the system. This very helpful link of common SIDs will help you decipher them. The three short ones are:
| SID | Name | Description |
| S-1-5-18 | Local System | A service account that is used by the operating system. |
| S-1-5-19 | NT Authority | Local Service |
| S-1-5-20 | NT Authority | Network Service |
The SIDs for each user follow the will be something like S-1-5-21-3842413398-3921344924-2316618331-1000, where S-1-5-21- identifies this as a user, the middle three large numbers identify the domain this user belongs to or this computer if it is a local account, and the last number is a serial counter starting at 1000 that identifies the individual user. There are two first-level keys inside each user’s hive that are dynamically created (they exist only in memory and aren’t found in the file). They are Identities and Volatile Environment. If you are on a live system, that Volatile Environment key is a great shortcut to get to username, hostname, and some useful paths.