Windows 10特定注册表项 tools

admin 2019-9-2 446

Windows 10 Specific Registry Keys

The registry is a fascinating place.

Have seen it written as the heart of the OS where configurations are stored

For reasons as features, user experience, and updates; Windows 10 has made some changes and  additions to the locations of some of its registry locations.

Referencing a wonderful source of registry information from:

DFIR Training site.  "WINDOWS FORENSICS REGISTRY LIST"

https://www.dfir.training/resources/downloads/windows-registry

A list of Windows 10 specific registry keys below:

App Information

UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.Microsoftedge\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral 8wekyb3d8b bwe\MicrosoftEdge\Capabilities\FileAssociations

App Install Date/Time

UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.Microsoftedge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_20.10240.16384.0_neut ral 8wekyb3d8bbwe / InstallTime

Camera App

NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.jpg&ls=0&b=0

Common Dialog

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\.vhd

Cortana Search

NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ FileExts\.com/search?q=

Cortana Search

NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ RecentDocs\.&input=2&FORM=WNS BOX&cc=US&setlang=en- US&sbts=/ 0

Disk Class Filter Driver stdcfltn

SYSTEM\ControlSet001\services\ stdcfltn

Edge Browser Favorites, Edge Favorites

UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\/ Order

Edge History Days to Keep

UsrClass.dat \Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppContainer\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\ Url History / DaysToKeep

Edge Typed URLs

UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\ MicrosoftEdge\TypedURLs

Edge Typed URLs Time

UsrClass.dat \ Local Settings\Software\Microsoft\ Windows\CurrentVersion\App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime

Edge Typed URLs Visit Count

UsrClass.dat \ Local Settings\Software\ Microsoft\Windows\CurrentVersion\ App Container\Storage\microsoft. microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount

EFS Attribute in File Explorer Green Color

NTUSER.DAT\Software\Microsoft\ Windows\ CurrentVersion\Explorer\ Advanced

Favorites

UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\

File Access Windows Apps

UsrClass.dat\Local Settings\Software\ Microsoft\Windows\CurrentVersion\ AppModel\SystemAppData\\PersistedStorage ItemTable\ManagedByApp

History - Days to Keep

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History /DaysToKeep

History days to keep

UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetSettings\Url History /DaysToKeep

Identity

settings.dat\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\

Identity Live Account

NTUSER\SOFTWARE\Microsoft\15.0\Common\Identity\Identities\

IE/Edge Auto Passwd

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

If hidden from timeline view, key is present

HKCU\Software\Microsoft\Windows\CurrentVersion\ActivityDataModel\ActivityAccountFilter\

Links a ConnectedDevicePlatform PlatformDeviceId to the name, type, etc of the device

HKCU\Software\Microsoft\Windows\CurrentVersion\TaskFlow\DeviceCache

Live Account ID

NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Identities\_LiveId

Live Account ID

NTUSER.DAT\SOFTWARE\Microsoft\IdentityCRL\UserExtendedProperties\/ cid

Live Account ID

NTUSER.DAT\SOFTWARE\Microsoft\AuthCookies\Live\Default\CAW / Id

Office Word OneDrive Synch Roaming Identities

NTUSER.DAT\Software\Microsoft\ Office\\Common\Roaming\ Identities\Settings\1133\\ ListItems\\

OneDrive App Info

NTUSER.DAT\SOFTWARE\Microsoft\ OneDrive

OneDrive User ID and Login URL

NTUSER.DAT\SOFTWARE\Microsoft\ AuthCookies\Live\Default\CAW

OneDrive User ID Associated with User

NTUSER.DAT\SOFTWARE\Microsoft\ IdentityCRL\UserExtendedProperties\/ cid

OneDrive User ID, Live ID

NTUSER.DAT\SOFTWARE\Microsoft\ Office\\Common\Identity\Identities\_LiveId

OneNote User Information

Settings.dat\LocalState\ HKEY_CURRENT_USER\Software\ Microsoft\Office\16.0\Common\ Identity\Identities\_LiveId

Password Face Enabled

SOFTWARE\Software\Microsoft\ Windows\CurrentVersion\ Authentication\LogonUI\FaceLogon\

Photos App Associated User

Settings.dat\LocalState\OD\

Place MRU

NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\User MRU\LiveId#>\Place MRU

Reading Locations

NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Reading Locations

Recent Docs

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.&input=

RecentApps

NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps

RecentDocs

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

RecentDocs

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.iso

RecentDocs

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.vhd

RecentDocs for .jpg

NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg

RecentDocs for .jpg

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg&ls=0&b=0

Recycle Bin Info

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\

Regedit Last Key Saved

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Register.com search

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts / .com

Roaming Identities (1125 PowerPoint, 1133 Word, 1141 Excel)

NTUSER.DAT\SOFTWARE\Microsoft\Office\15.0\Common\Roaming\Identities\\

Run subkey - Active

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run / OneDrive

Shared data to: e-mail

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

Shared Photos

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

Shared photos

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharingMFU

Sharing MFU

NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\ SharingMFU

Shell Bags

NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop

Skype App Install

HKEY_CLASSES_ROOT\ActivatableClasses\Package\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c

Skype Assoc. Files 1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-skype

Skype Assoc. Files 2

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.skype

Skype Assoc. Files 3

HKEY_CURRENT_USER\SOFTWARE\Classes\.skype

Skype Assoc. Files 4

HKEY_CLASSES_ROOT\.skype

Skype Install Path

HKEY_CURRENT_USER\SOFTWARE\Skype\Phone

Skype Installation

HKEY_CLASSES_ROOT\AppX(RandomValue)

Skype Language

HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\UI\General

Skype Process Name

HKEY_LOCAL_MACHINE\SOFTWARE\IM Providers\Skype

Skype Update App ID

HKEY_CLASSES_ROOT\AppID\{27E6D007-EE3B-4FF7-8AE8-28EF0739124C}

Skype User List

HKEY_CURRENT_USER\SOFTWARE\Skype\Phone\Users\

Skype Version 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\(UID)\(UID)

Skype Version 2

HKEY_CLASSES_ROOT\Installer\Products\74A569CF9384AC046B81814F680F246C

TaskBar Application List

NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband / FavoritesResolve

Trusted Documents

NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Documents\TrustRecords

Trusted Locations

NTUSER\SOFTWARE\Microsoft\Office\15.0\Word\Security\Trusted Locations

TypedURLs

UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

TypedURLs

NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

TypedURLs Hyperlink

NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLs

TypedURLsTime

UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs

TypedURLsTime

NTUSER.DAT\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime

TypedURLsVisitCount

UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount

References:

Shavers, B. (2019, February 12). Window Registry. Retrieved from https://www.dfir.training/resources/downloads/windows-registry

Registry Hives - Windows applications. Retrieved from https://docs.microsoft.com/en-us/windows/desktop/SysInfo/registry-hives


少客联盟- 版权声明 1、本主题所有言论和图片纯属会员个人意见,与少客联盟立场无关。
2、本站所有主题由该帖子作者发表,该帖子作者admin少客联盟享有帖子相关版权。
3、少客联盟管理员和版主有权不事先通知发贴者而删除本文。
4、其他单位或个人使用、转载或引用本文时必须同时征得该帖子作者admin少客联盟的同意。
5、帖子作者须承担一切因本文发表而直接或间接导致的民事或刑事法律责任。
6、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责。
7、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意。
8、官方反馈邮箱:chinasuc@chinasuc.cn


上一篇:电子科技大学基于二进制代码混淆的软件保护研究
下一篇:详解TesSafe.sys逆向定位PTE_BASE
Whatever is worth doing is worth doing well. juvenile hacker league
最新回复 (0)
    • 少客联盟
      2
        登录 注册 QQ登录(停用)
返回