Sunday, May 19, 2019

Windows 10 Specific Registry Keys

The registry is a fascinating place.
Have seen it written as the heart of the OS where configurations are stored

For reasons as features, user experience, and updates; Windows 10 has made some changes and  additions to the locations of some of its registry locations.

Referencing a wonderful source of registry information from:






DFIR Training site.  "WINDOWS FORENSICS REGISTRY LIST"
https://www.dfir.training/resources/downloads/windows-registry



A list of Windows 10 specific registry keys below:

App Information
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Microsoftedge\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral 8wekyb3d8b bwe\MicrosoftEdge\Capabilities\FileAssociations

App Install Date/Time
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.Microsoftedge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_20.10240.16384.0_neut ral 8wekyb3d8bbwe / InstallTime

Camera App
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.jpg&ls=0&b=0

Common Dialog
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\.vhd

Cortana Search
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ FileExts\.com/search?q=

Cortana Search
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.&input=2&FORM=WNS BOX&cc=US&setlang=en- US&sbts=/ 0

Disk Class Filter Driver stdcfltn
SYSTEM\ControlSet001\services\ stdcfltn

Edge Browser Favorites, Edge Favorites
UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\/ Order

Edge History Days to Keep
UsrClass.dat \Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\ Url History / DaysToKeep

Edge Typed URLs
UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\ MicrosoftEdge\TypedURLs

Edge Typed URLs Time
UsrClass.dat \ Local Settings\Software\Microsoft\ Windows\CurrentVersion\App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime

Edge Typed URLs Visit Count
UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount

EFS Attribute in File Explorer Green Color
NTUSER.DAT\Software\Microsoft\ Windows\ CurrentVersion\Explorer\ Advanced

Favorites
UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\

File Access Windows Apps
UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppModel\SystemAppData\\PersistedStorage ItemTable\ManagedByApp

History - Days to Keep
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History /DaysToKeep

History days to keep
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\Url History /DaysToKeep

Identity
settings.dat\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\

Identity Live Account
NTUSER\SOFTWARE\Microsoft\15.0\Common\Identity\Identities\

IE/Edge Auto Passwd
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

If hidden from timeline view, key is present
HKCU\Software\Microsoft\Windows\CurrentVersion\ActivityDataModel\ActivityAccountFilter\

Links a ConnectedDevicePlatform PlatformDeviceId to the name, type, etc of the device
HKCU\Software\Microsoft\Windows\CurrentVersion\TaskFlow\DeviceCache

Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Identities\_LiveId

Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\IdentityCRL\UserExtendedProperties\/ cid

Live Account ID
NTUSER.DAT\SOFTWARE\Microsoft\AuthCookies\Live\Default\CAW / Id

Office Word OneDrive Synch Roaming Identities
NTUSER.DAT\Software\Microsoft\ Office\\Common\Roaming\ Identities\Settings\1133\\ ListItems\\

OneDrive App Info
NTUSER.DAT\SOFTWARE\Microsoft\ OneDrive

OneDrive User ID and Login URL
NTUSER.DAT\SOFTWARE\Microsoft\ AuthCookies\Live\Default\CAW

OneDrive User ID Associated with User
NTUSER.DAT\SOFTWARE\Microsoft\ IdentityCRL\UserExtendedProperties\/ cid

OneDrive User ID, Live ID
NTUSER.DAT\SOFTWARE\Microsoft\ Office\\Common\Identity\Identities\_LiveId

OneNote User Information
Settings.dat\LocalState\ HKEY_CURRENT_USER\Software\ Microsoft\Office\16.0\Common\ Identity\Identities\_LiveId

Password Face Enabled
SOFTWARE\Software\Microsoft\ Windows\CurrentVersion\ Authentication\LogonUI\FaceLogon\

Photos App Associated User
Settings.dat\LocalState\OD\

Place MRU
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\User MRU\LiveId#>\Place MRU

Reading Locations
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Reading Locations

Recent Docs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.&input=

RecentApps
NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps

RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso

RecentDocs
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vhd

RecentDocs for .jpg
NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg

RecentDocs for .jpg
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg&ls=0&b=0

Recycle Bin Info
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\

Regedit Last Key Saved
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Register.com search
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts / .com

Roaming Identities (1125 PowerPoint, 1133 Word, 1141 Excel)
NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Roaming\Identities\\

Run subkey - Active
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run / OneDrive

Shared data to: e-mail
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

Shared Photos
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

Shared photos
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

Sharing MFU
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ SharingMFU

Shell Bags
NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop

Skype App Install
HKEY_CLASSES_ROOT\ActivatableClasses\Package\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c

Skype Assoc. Files 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-skype

Skype Assoc. Files 2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.skype

Skype Assoc. Files 3
HKEY_CURRENT_USER\SOFTWARE\Classes\.skype

Skype Assoc. Files 4
HKEY_CLASSES_ROOT\.skype

Skype Install Path
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone

Skype Installation
HKEY_CLASSES_ROOT\AppX(RandomValue)

Skype Language
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\UI\General

Skype Process Name
HKEY_LOCAL_MACHINE\SOFTWARE\IM Providers\Skype

Skype Update App ID
HKEY_CLASSES_ROOT\AppID\{27E6D007-EE3B-4FF7-8AE8-28EF0739124C}

Skype User List
HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\Users\

Skype Version 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\(UID)\(UID)

Skype Version 2
HKEY_CLASSES_ROOT\Installer\Products\74A569CF9384AC046B81814F680F246C

TaskBar Application List
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband / FavoritesResolve

Trusted Documents
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Documents\TrustRecords

Trusted Locations
NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Locations

TypedURLs
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

TypedURLs
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

TypedURLs Hyperlink
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

TypedURLsTime
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

TypedURLsTime
NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime

TypedURLsVisitCount
UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount






References:
Shavers, B. (2019, February 12). Window Registry. Retrieved from https://www.dfir.training/resources/downloads/windows-registry

Registry Hives - Windows applications. Retrieved from https://docs.microsoft.com/en-us/windows/desktop/SysInfo/registry-hives













No comments:

Post a Comment