Registry Overview

The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look in \Windows\System32\config and \Users\<profile>\NTUSER.DAT. The long answer is… well… longer.


First thing to understand is that the Registry is complicated beast. Once processed, loaded into memory, and THEN presented to the user, it has five (5) root hives. According to legend, they are called “hives” because one of the original developers of Windows NT hated bees, so the developer responsible for the Registry snuck in as many bee references as he could. Three of those hives do not have corresponding files on disk, but rather are the Registry equivalent of a symlink that points to another part of the Registry. The HARDWARE hive is dynamically created as the system detects and interacts with the hardware. The two remaining hives are the most important to us and are comprised of several files that are combined to make the tree whole. The layout is like this:

Registry hive Source file or location
HKEY_CLASSES_ROOT Merger of HKLM\SOFTWARE\Classes and HKCU\Software\Classes
HKEY_LOCAL_MACHINE\SAM %windir%\System32\config\SAM
HKEY_USERS\.DEFAULT %windir%\System32\config\DEFAULT
HKEY_USERS\S-1-5-18 %windir%\System32\config\systemprofile\NTUSER.DAT
HKEY_USERS\S-1-5-19 %windir%\ServiceProfiles\LocalService\NTUSER.DAT
HKEY_USERS\S-1-5-20 %windir%\ServiceProfiles\NetworkService\NTUSER.DAT
HKEY_USERS\S-1-5-21-…-1000 %userprofile%\NTUSER.DAT
HKEY_USERS\S-1-5-21-…-1000_Classes %userprofile%\AppData\Local\Microsoft\Windows\UsrClass.dat
HKEY_CURRENT_CONFIG ->HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\


Reading the contents of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist will help locate many of these files.


When you go track down these files on disk, you may find multiple files with the name of interest. The one with no extension is the important one. The uses for the others are as follows.

Extension Description
none A complete copy of the hive data.
.alt A backup copy of the critical HKEY_LOCAL_MACHINE\System hive. Only the System key has an .alt file.
.log A transaction log of changes to the keys and value entries in the hive. There are frequently multiples of these.
.sav A backup copy of a hive.


Looking through the HKEY_USERS hive, you will find each points to a different NTUSER.DAT file. They are named from the Security Identifier (SID) of the various users on the system. This very helpful link of common SIDs  will help you decipher them. The three short ones are:

SID Name Description
S-1-5-18 Local System A service account that is used by the operating system.
S-1-5-19 NT Authority Local Service
S-1-5-20 NT Authority Network Service


The SIDs for each user follow the will be something like S-1-5-21-3842413398-3921344924-2316618331-1000, where S-1-5-21- identifies this as a user, the middle three large numbers identify the domain this user belongs to or this computer if it is a local account, and the last number is a serial counter starting at 1000 that identifies the individual user. There are two first-level keys inside each user’s hive that are dynamically created (they exist only in memory and aren’t found in the file). They are Identities and Volatile Environment. If you are on a live system, that Volatile Environment key is a great shortcut to get to username, hostname, and some useful paths.