What is a Registry Hive?

A registry hive is a logical group of keys, subkeys, and values in the registry whose supporting files are loaded into memory when the operating system (OS) starts, or a user logs in to a computer.

Confused when answering the question, “What is a registry hive?” Think of it this way. When someone else logs into your computer, it creates a new registry hive for that user and a separate file for his/her user profile. That registry hive is called the “user profile hive.” It contains specific registry information about that user’s application settings, desktop setup, environment, network connections, and printers.

A registry hive is crucial in digital forensics as it can limit the investigation’s scope on a system. Instead of going through all the user profile hives, law enforcement agents can zoom in on the profile the suspect owns.

Other interesting terms…

• What is a File Attribute?
• What is Slack Space?

Read More about a “Registry Hive”

A registry hive keeps the files in a computer organized, allowing the system to run optimally.

What Are the Formats Used by Files in a Registry Hive?

Registry files can take one of two formats—standard and latest. How do they differ?

• Standard format: The only format supported by Windows 2000, although newer versions of the OS support it for backward compatibility.

• Latest format: The format supported by Windows XP and succeeding versions.

What do these formats tell you about a suspicious file in digital forensics? Simply put, the format a file uses tells you if it was created using an old (i.e., Windows 2000) or a new OS (i.e., Windows XP onward).

How Can You Tell If a File Belongs to a Registry Hive?

First off, you should know that you can’t delete a registry hive. So if a malware creates a registry entry, you can only delete the main malware file (usually an .exe file). But how do you know if a registry key (e.g., HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE) is a registry hive? Here are some telltale signs:

• Most of a registry hive’s supporting files are in the %SystemRoot%\System32\Config directory.
• It doesn’t have a filename extension, which means it is a complete copy of the registry hive.
• It uses the .alt filename extension, which means it is a backup copy of the critical HKEY_LOCAL_MACHINE\System registry hive. It should never be deleted.
• It uses the .log filename extension, which means it is a transaction log of all changes made to the keys and value entries in a registry hive.
• It uses the .sav filename extension, which means it is a backup copy of a registry hive.

Digital forensic experts can use a registry hive to look for evidence. It can tell you what pages the computer user recently visited. It also logs information on the last documents opened, connected USB devices, and other artifacts pertinent to the case.

What Are the Registry Hives You Will See on Almost All Windows Computers?

Collecting digital evidence can be tedious if you don’t know where to look. Here’s a list of the registry hives present in almost all Windows systems.

• HKEY_CURRENT_CONFIG: Supported by the System, System.alt, System.log, and System.sav files.

• HKEY_CURRENT_USER: Supported by the Ntuser.dat and Ntuser.dat.log files.

• HKEY_LOCAL_MACHINE\SAM: Supported by the Sam, Sam.log, and Sam.sav files.

• HKEY_LOCAL_MACHINE\Security: Supported by the Security, Security.log, and Security.sav files.

• HKEY_LOCAL_MACHINE\Software: Supported by the Software, Software.log, and Software.sav files.

• HKEY_LOCAL_MACHINE\System: Supported by the System, System.alt, System.log, and System.sav files.

• HKEY_USERS\.DEFAULT: Supported by the Default, Default.log, and Default.sav files.

In digital forensics, these registry hives can tell investigators:

• HKEY_CURRENT_CONFIG: Acts as a pointer or shortcut to a registry key containing information about the computer’s hardware profile.

• HKEY_CURRENT_USER: Contains the computer settings the current user prefers (e.g., what software he/she typically uses).

• HKEY_LOCAL_MACHINE\SAM: Contains local user account and local group membership information, including passwords. It also tells you what privileges are granted (e.g., what files they can access) to each user and group in the Active Directory.

• HKEY_LOCAL_MACHINE\Security: Contains local system security policy settings that control which domains are trusted to authenticate login attempts, which users are allowed to access the system, on what channels users are permitted to access the system, which privileges are assigned to a user, how users are audited, and login information for cached domain and service logins.

• HKEY_LOCAL_MACHINE\Software: Contains most of the configuration information for the software installed on the computer and the OS.

• HKEY_LOCAL_MACHINE\System: Contains the same information as HKEY_LOCAL_MACHINE\Software.

• HKEY_USERS\.DEFAULT: Contains the registry settings used as the default for the currently logged-in user. If that user doesn’t have an existing profile, the C:\Users\Default\ntuser registry hive will get called.

Knowing what the registry hives contain, you can discern that threat actors who gain access to them can steal personally identifiable information (PII), including account login credentials, that could lead to a data breach.