What is the Windows Registry?
The Windows Registry contains the configuration settings and information for the software and hardware and security settings within a Windows operating system.
The Registry is automatically updated in the background whilst the system operates and most users would be unaware of its existence within hidden system folders.
It is possible to change system settings within the normal Windows user interface as a standard user, however, it is also possible to access the Windows Registry using the Registry Editor application that is built into Windows by default. It is possible to export parts of the Registry using this application by right clicking any key within it and selecting Export.
What Files Form the Windows Registry?
The Registry is made up of different areas that are normally referred to as ‘hives’ and have a prefix ‘HKEY’, however, each database is located within the System32/Config/ directory on a Windows NTFS based system and are named SOFTWARE, SYSTEM and SECURITY, SAM and DEFAULT. The NTUSER.DAT file is located within each user profile folder.
The SAM file relates to HKEY_LOCAL_MACHINE\SAM, the SECURITY file relates to HKEY_LOCAL_MACHINE\SECURITY, SOFTWARE to HKEY_LOCAL_MACHINE\SOFTWARE, SYSTEM to HKEY_LOCAL_MACHINE\SYSTEM and DEFAULT to HKEY_USERS\.DEFAULT. The NTUSER.DAT file relates to the hive HKEY_CURRENT_USER.
The registry is made up of different keys that contain values. Those values are normally made up of the following types:
Binary – REG_BINARY – Displayed in hexadecimal format within the registry;
DWORD – REG_DWORD – Displayed as a 4 byte long number;
String Value – REG_SZ – A text string;
QWORD – REG_QWORD – Displayed a a binary value.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or
via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any
computer forensic investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited
to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.