What’s in a name? That which we call a profile By any other name would still let us log in.   I recently ran across a case where I needed to prove which user was using which profile folder. Every once in a while, the profile folder name won’t actually be the same as the […]


Named Key cells are the data structures within the Registry that hold the Keys and provide the parent/child data necessary to build the tree. Different documentation calls these Named Keys, Node Keys, or NT Keys. It is unclear which is correct, so I’m going to go with Noodle Keys.   offset length type what is […]


The contents of Registry files are saved in Hive Bins. The previously mentioned header to the Registry file is a 4k block with info about the file as a whole. After that comes a series of blocks that each start with magic signature of “hbin”. These blocks are the containers that all the keys, values, and everything […]


Every Registry file starts with a 4,096 byte header block. The first 512 bytes of that header tell us about the Registry file as a whole. Contained within this header are the following: Offset Length Type What is it? x000 4 string Signature: “regf” x004 4 uint32 Sequence Number 1 x008 4 uint32 Sequence Number 2 […]

Registry File Specification

After reviewing several other sources, notably from Morgan and Norris, I’ve decided that Joachim Metz’s Windows NT Registry File (REGF) format specification is the clear winner when it comes to laying this information out in a clean, clear, easy to read format. Metz doesn’t have all of the answers, but unlike the other documents, this one is […]

Registry Overview

The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look in \Windows\System32\config and \Users\<profile>\NTUSER.DAT. The long answer is… well… longer.   First thing to understand is that the Registry is complicated beast. Once processed, loaded into memory, and THEN presented to the user, […]

Registry Internal Structure

Searching for information about the innards of the Registry returns a whole lot of pages talking about the hives, keys, and values. But, I want to go deeper. What makes the Registry actually tick.   After a bit of google-fu, I was only able to come up with a handful of pages that actually talk […]


There are a plethora of keys in the Registry dedicated to telling you where you’ve been. Known as MRU (Most Recently Used) keys, they provide that little bit of history you get in the File menu of certain apps or in the drop-down box where you are specifying a name to open/save a file. Very […]


I’m not sure how I missed it when it came out in 2009, but Peter Norris has put together an absolutely fantastic write up on the internal structures of the Registry. Deep internal knowledge like this is vital when you are finding parts of old registry files in unallocated space, the page file, or memory. […]