Interesting Windows Registry Keys
Last updated
Last updated
Impara e pratica l'Hacking su AWS:HackTricks Training AWS Red Team Expert (ARTE) Impara e pratica l'Hacking su GCP: HackTricks Training GCP Red Team Expert (GRTE)
Situato in Software\Microsoft\Windows NT\CurrentVersion, troverai la versione di Windows, il Service Pack, l'ora di installazione e il nome del proprietario registrato in modo diretto.
Il nome host si trova sotto System\ControlSet001\Control\ComputerName\ComputerName.
Il fuso orario del sistema è memorizzato in System\ControlSet001\Control\TimeZoneInformation.
Di default, il tracciamento dell'ultima ora di accesso è disattivato (NtfsDisableLastAccessUpdate=1). Per abilitarlo, utilizza: fsutil behavior set disablelastaccess 0
La versione di Windowse Windows indica l'edizione (es. Home, Pro) e il suo rilascio (es. Windows 10, Windows 11), mentre i Service Packs sono aggiornamenti che includono correzioni e, talvolta, nuove funzionalità.
Abilitare il tracciamento dell'ora di ultimo accesso ti permette di vedere quando i file sono stati aperti per l'ultima volta, il che può essere fondamentale per l'analisi forense o il monitoraggio del sistema.
Il registro contiene dati estesi sulle configurazioni di rete, inclusi i tipi di reti (wireless, via cavo, 3G) e le categorie Famei pecific eschi re esar di for
es**io- details erver Global esino
esinoeRE eseRE ese 01senet esse ese 01senet esse 01se 01se 01se 01se **01sssa **es the 01se **rg .IUsad ad byr es the/appstal ones the, Int ed ** the Windows ext.
Located at Software\Microsoft\Windows NT\CurrentVersion, you'll find the Windows version, Service Pack, installation time, and the registered owner's name in a straightforward manner.
The hostname is found under System\ControlSet001\Control\ComputerName\ComputerName.
The system's time zone is stored in System\ControlSet001\Control\TimeZoneInformation.
By default, the last access time tracking is turned off (NtfsDisableLastAccessUpdate=1). To enable it, use: fsutil behavior set disablelastaccess 0
The Windows version indicates the edition (e.g., Home, Pro) and its release (e.g., Windows 10, Windows 11), while Service Packs are updates that include fixes and, sometimes, new features.
Enabling last access time tracking allows you to see when files were last opened, which can be critical for forensic analysis or system monitoring.
The registry holds extensive data on network configurations, including types of networks (wireless, cable, 3G) and network categories (Public, Private/Home, Domain/Work)** and network categories (Public, Private/Home, Domain/Work), which are vital for understanding network security settings and permissions.
CSC enhances offline file access by caching copies of shared files. Different CSCFlags settings control how and what files are cached, affecting performance and user experience, especially in environments with intermittent connectivity.
Programs listed in various Run and RunOnce registry keys are automatically launched at startup, affecting system boot time and potentially being points of interest for identifying malware or unwanted software.
Shellbags not only store preferences for folder views but also provide forensic evidence of folder access even if the folder no longer exists. They are invaluable for investigations, revealing user activity that isn't obvious through other means.
The details stored in the registry about USB devices can help trace which devices were connected to a computer, potentially linking a device to sensitive file transfers or unauthorized access incidents.
The Volume Serial Number can be crucial for tracking the specific instance of a file system, useful in forensic scenarios where file origin needs to be established across different devices.
Shutdown time and count (the latter only for XP) are kept in **System\ControlSet001\Control\WindowsParticolari sulleControl\Watchdog\Display`.
For detailed network interface info, refer to System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}.
First and last network connection times, including VPN connections, are logged under various paths in Software\Microsoft\Windows NT\CurrentVersion\NetworkList.
Shared folders and settings are under System\ControlSet001\Services\lanmanserver\Shares. The Client Side Caching (CSC) settings dictate offline file availability.
Paths like NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run and similar entries under Software\Microsoft\Windows\CurrentVersion detail programs set to run at startup.
Explorer searches and typed paths are tracked in the registry under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer for WordwheelQuery and TypedPaths, respectively.
Recent documents and Office files accessed are noted in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs and specific Office version paths.
MRU lists, indicating recent file paths and commands, are stored in various ComDlg32 and Explorer subkeys under NTUSER.DAT.
The User Assist feature logs detailed application usage stats, including run count and last run time, at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count.
Shellbags, revealing folder access details, are stored in USRCLASS.DAT and NTUSER.DAT under Software\Microsoft\Windows\Shell. Use Shellbag Explorer for analysis.
HKLM\SYSTEM\ControlSet001\Enum\USBSTOR and HKLM\SYSTEM\ contain rich details on connected USB devices, including manufacturer, product name, and connection timestamps.
The user associated with a specific USB device can be pinpointed by searching NTUSER.DAT hives for the device's {GUID}.
The last mounted device and its volume serial number can be traced through System\MountedDevices and Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt, respectively.
This guide condenses the crucial paths and methods for accessing detailed system, network, and user activity information on Windows systems, aiming for clarity and usability.
Impara e pratica l'Hacking su AWS:<img^src="/.gitbook/assets/arte.png" alt="" data-size="line">Hack in Training AWS Red Team Expert (ARTE)<img^src="/.gitbook/assets/arte.png" alt="" data-size="line"> Impara e pratica l'Hacking su GCP: <img^src="/.gitbook/assets/grte.png" alt="" data-size="line">HackTricks e HackTricks Cloud repository di Github.
