Welcome back, aspiring digital investigators!
In this second chapter of our beginner-friendly Windows Registry series, we are going to walk through the parts of the registry that reveal essential details about a system. This includes information about the operating system version, the active control set, the machine’s name, its time zone, the networks it interacted with, programs set to run automatically, services installed on the machine, and the system accounts stored in the SAM hive. These areas give you the ability to perform a quick triage of a Windows device without waiting for heavier ingestion tools to process everything. With just the hives in front of you, you can already build a surprisingly clear picture of the system you are investigating.
Before we begin exploring the keys themselves, let’s settle on the tools we will rely on.
Tools
Investigators have many registry tools available today, both free and commercial. For our purposes, we will focus on two widely trusted tools that complement each other: Registry Explorer and RegRipper.
Registry Explorer
Registry Explorer comes from Eric Zimmerman’s collection of forensic tools, a suite that has become a staple in digital forensics labs and classrooms around the world. This program lets you explore registry hives in a structured way, while also reconstructing information from transaction logs. This matters because Windows constantly writes changes to the logs before committing them to the hive itself, and a tool that reads only the hive file may miss modifications that are still waiting inside those logs. Registry Explorer brings this material together so you see the complete state of the registry as it existed on disk.
At first glance the interface can feel busy, but it becomes intuitive once you start navigating the keys you are looking for. Zimmerman included a helpful system of bookmarks that point to commonly important locations inside different hives. If you load the SYSTEM hive, for example, you will see bookmarks specifically built for that hive. The same applies for SOFTWARE and NTUSER.DAT. If you launch the tool with administrator rights on your own machine, you can even inspect your live system’s hives, though this is mainly for training rather than evidence collection.
RegRipper
RegRipper is one of the earliest and most established command-line tools for registry analysis. It uses small plug-ins to pull out meaningful values from the registry quickly, which makes it excellent for triage or automation. It is widely used in forensic labs because of its speed and its ability to provide focused summaries rather than raw browsing.
However, RegRipper does not merge or interpret the transaction logs the way Registry Explorer does. That means if the hive still contains uncommitted changes in the logs, the data RegRipper outputs may not reflect the true last state of the system. For this reason, analysts often first open the hives in Registry Explorer, allow the tool to apply the transaction logs, save the corrected hive, and only then run RegRipper against it. This workflow gives speed without sacrificing accuracy.
Exploring the Registry
Now the real journey begins. The Windows Registry contains countless locations filled with forensic artifacts, but for beginners, focusing on the core system information helps build confidence and analytical structure. As you go through each area, make notes of the full paths of keys you want to remember. Over time, you will memorize many of them, but for now, feel free to come back to this article when needed.
Current OS Version
The operating system version gives you valuable context about the machine you are analyzing. Different versions of Windows store artifacts in slightly different places, support different features, and have distinct vulnerabilities that may be relevant to your case.
You can locate this information by opening:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Here you will find fields such as ProductName and EditionID. In our example, the machine reports Windows 8.1 Pro with a Professional edition.
Current Control Set
In simple terms, the Current Control Set represents the version of the system configuration that Windows successfully used to start the machine. Windows stores multiple control sets, each containing configuration data governing how the system boots and which services load. These are named ControlSet001, ControlSet002, and so on. Only one of them is active at a time, and the active one is known as the CurrentControlSet. When analysts examine it, they are essentially looking at how the system was set up during its most recent working boot, which services were allowed to run, which drivers were loaded, and what the system trusted enough to start automatically.
You can view the available sets here:
SYSTEM\ControlSet001
SYSTEM\ControlSet002
To find which one is actually in use, inspect:
SYSTEM\Select\Current
If the value is 1, it indicates that ControlSet001 is active. Default shows what the system prefers to use under normal circumstances, while LastKnownGood identifies the configuration the system relied on during the last successful boot. These details become helpful when an attacker tries to modify startup behavior, service loading, or driver configuration.
Computer Name
Sometimes you simply need to confirm the machine’s name. This may be relevant when correlating events across logs, identifying which system communicated on the network, or linking physical and virtual devices.
You can find the computer name here:
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
In our case, the machine identifies itself as WIN8. This detail usually appears in the final report under basic system information.
Time Zone Information
Time accuracy matters in forensics. If you don’t know the system’s time zone, you cannot reliably reconstruct the sequence of events. Timestamps that appear inconsistent or impossible often become perfectly logical once the correct time zone is factored in.
The time zone data is stored here:
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Network Interfaces and Past Networks
Network artifacts are extremely valuable because they reveal where the machine connected, what interfaces existed on the device, and details such as IP addresses, gateways, DHCP leases, and more. These details can help identify whether a system was connected to an attacker-controlled network, whether it accessed internal infrastructure, or whether it interacted with unknown or suspicious networks.
The first location you can explore is:
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
This section lists every network interface Windows knows about, including wireless interfaces, ethernet adapters, and virtual adapters.
More historical network information is available here:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
And here:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed
These keys allow you to rebuild a list of previously connected networks, even if the suspect cleaned the system logs.
Autostart
Autostart entries define programs that are launched automatically when Windows boots or when a user logs in. Attackers rely on autostart locations for persistence because it allows malware to run silently in the background.
There are system-wide autostart keys, stored in the SOFTWARE hive:
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
And there are user-specific autostarts inside the NTUSER.DAT hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run entries start programs every time the system or user loads, while RunOnce entries start only a single time and then remove themselves. Attackers may use either depending on whether they want persistence or a one-time action. Because these locations are so common in intrusions, they should always be reviewed carefully.
Services
Windows services run in the background and often start automatically when the system boots. Many legitimate services exist, but attackers frequently create their own malicious services because this persistence technique is reliable.
You can review services here:
SYSTEM\CurrentControlSet\Services
Look for services with a Start value that indicates automatic activation. If a suspicious service loads during boot, it may be part of an attacker’s persistence chain.
System Accounts
System accounts stored in the SAM hive can reveal whether an attacker created new accounts, modified existing ones, or attempted to hide their presence. Hidden users, for example, do not appear on the lock screen but are still present in the SAM database and can be used for remote access.
You can examine accounts here:
SAM\Domains\Account\Users
This hive contains a large amount of structured information, so you will need to expand it manually. As we demonstrated in previous articles discussing Sliver and AnyDesk persistence, attackers frequently create hidden accounts by editing the registry to maintain access. The SAM hive helps expose these accounts.
Summary
We covered the foundational system information that every beginner forensic analyst should be comfortable retrieving. Understanding the operating system version, the control sets, the machine’s time settings, its networks, autostart entries, services, and accounts gives you a clear snapshot of the system in front of you. In the next part of our series, we will examine evidence of execution, USB devices that were connected to the system, folder and share usage, and records of files opened by users. These artifacts will help you piece together activity on the machine and trace what happened before, during, and after an incident.
Source: HackersArise
Source Link: https://hackers-arise.com/digital-forensics-registry-analysis-for-beginners-part-2-system-information-and-basic-persistence/