HKLM\SYSTEM - ComputerName
HKLM\SOFTWARE - CurrentVersion
HKLM\SECURITY - Policy
HKLM\SOFTWARE - ProfileList
HKLM\SAM - Users
HKLM\SYSTEM - TimeZoneInformation
HKLM\SYSTEM - Select
HKLM\SYSTEM - Interfaces
HKLM\SYSTEM - NetworkList
HKLM\SYSTEM - LanmanServer\Shares
HKLM\SYSTEM - FirewallPolicy
HKLM\SOFTWARE & NTUSER - App Paths
HKLM\SOFTWARE & NTUSER - Uninstall
HKLM\SOFTWARE - CurrentVersion
HKLM\SECURITY - Policy
HKLM\SOFTWARE - ProfileList
HKLM\SAM - Users
HKLM\SYSTEM - TimeZoneInformation
HKLM\SYSTEM - Select
HKLM\SYSTEM - Interfaces
HKLM\SYSTEM - NetworkList
HKLM\SYSTEM - LanmanServer\Shares
HKLM\SYSTEM - FirewallPolicy
HKLM\SOFTWARE & NTUSER - App Paths
HKLM\SOFTWARE & NTUSER - Uninstall
ComputerName
| Hive | Description | Location |
HKLM\SYSTEM |
Name of the computer. | File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName |
CurrentVersion
| Hive | Description | Location |
HKLM\SOFTWARE |
Version and Service pack number of the Windows operating system. | File: %SystemRoot%\System32\config\SOFTWARE Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion (ProductName value) |
Security - Policy
| Hive | Description | Location |
HKLM\SECURITY |
Basic information on the system: - Computer name and SID. - Computer’s domain and domain SID (for domain-joined hosts). |
File: %SystemRoot%\System32\config\SECURITY Registry keys under HKLM\SECURITY\Policy: - PolAcDmN: computer name - PolAcDmS: computer SID - PolDnDDN: computer’s domain name - PolPrDmS: computer’s domain SID |
ProfileList
| Hive | Description | Location |
HKLM\SOFTWARE |
SID to user profile folder correspondence for both local and domain accounts that have interactively logged on the system. Each account is referenced by a dedicated subkey under ProfileList, named after the user SID. The user profile folder is referenced in the ProfileImagePath value under the per-user sunkey, and can be used to determine the account username. The last write timestamp of each key indicates when the associated user last logged on the system. |
File: %SystemRoot%\System32\config\SOFTWARE Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList |
SAM - Local users
| Hive | Description | Location |
HKLM\SAM |
Local users and groups definition. The SAM database contains the local users attributes (username, RID, Last Password Change, group memberships), as well as their LM and NTLM hashes. The SysKey, also referred to as the BootKey, stored in the HKLM\SYSTEM registry hive is necessary to decrypt the secrets in the SAM database. The Impacket’s secretsdump.py Python script can be used to extract the credentials from the HKLM\SAM (and HKLM\SECURITY) hives: secretsdump.py -sam <SAM> -system <SYSTEM> [-security <SECURITY>] LOCAL. |
File: %SystemRoot%\System32\config\SAM Registry keys: SAM\Domains\Account\Users |
TimeZoneInformation
| Hive | Description | Location |
HKLM\SYSTEM |
System time zone information. | File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\System\CurrentControlSet\Control\TimeZoneInformation |
Select
| Hive | Description | Location |
HKLM\SYSTEM |
ControlSet information for the CurrentControlSet, ControlSet002, … registry keys: - Current ControlSet pointed by the CurrentControlSet key. - Last known good ControlSet. |
File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\Select |
Network interfaces (Interfaces)
| Hive | Description | Location |
HKLM\SYSTEM |
Basic information about network interfaces (interface name, associated IP address, default gateway, and DHCP lease and eventual domain). Additional network information is available in the NetworkList registry key. |
File: %SystemRoot%\System32\config\SYSTEM Registry keys: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\* |
Network interfaces (NetworkList)
| Hive | Description | Location |
HKLM\SYSTEM |
Basic network historical information (network name and type, first and last connection, etc.) | File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ |
LanmanServer\Shares
| Hive | Description | Location |
HKLM\SYSTEM |
Network SMB shares hosted by the system. Each network share is associated with a REG_MULTI_SZ value. The value is named from the network share name. The share name is also defined in the ShareName field of the registry value’s data. The share path on disk is defined in the Path field of the registry value’s data. |
File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares |
FirewallPolicy
| Hive | Description | Location |
HKLM\SYSTEM |
Windows local Firewall profiles (Public, Private, and Domain) status and configured rules. | File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\* |
Installed applications (App Paths)
| Hive | Description | Location |
HKLM\SOFTWARE and NTUSER |
Applications installed on the system, on a system-wide or per-user basis. The entries are mainly used by the Windows operating system for two purposes: - Mapping an application file name to its executable full path. - Pre-pending information to the PATH environment variable on a per-application and per-process basis. Applications installed system-wide have their information written in the HKLM\SOFTWARE registry hive, while applications installed per user have their information written in the user NTUSER hive. For each installed application the following notable information is available: - File name and full file path of the application executable. - Timestamp of installation. |
For system-wide applications: File: %SystemRoot%\System32\config\SOFTWARE Registry key: Microsoft\Windows\CurrentVersion\App Paths For per-user applications: File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths |
Installed applications (Uninstall)
| Hive | Description | Location |
HKLM\SOFTWARE and NTUSER |
Applications installed on the system, on a system-wide or per-user basis, as displayed in the “Add or remove programs” of the Windows Control Panel / Settings. Applications installed system-wide have their information written in the HKLM\SOFTWARE registry hive, while applications installed per user have their information written in the user NTUSER hive. Each application installation data is defined in a dedicated subkey under Uninstall, identified by the application name. For each installed application the following notable information is available: - The application name. - The application installation location, display icon (often based directly on the application main executable, thus giving the full path of the application main program), full path of the uninstaller. - The date of the installation. The last write timestamp of the registry key can also be an indicator of when the application was installed (with better precision). - The size of the applicationn. - Various metadata on the application (provided by the application installer itself): version, publisher, … |
For system-wide applications: File: %SystemRoot%\System32\config\SOFTWARE Registry key: Microsoft\Windows\CurrentVersion\Uninstall For per-user applications: File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall |
View on GitHub