Skip to content

Windows Registry

Windows registries

Windows Registries (class notes)

Configurations of a particular user (eg: which user was logged in when a pendrive was connected to)

  • NTUSER.DAT registries specific to user

Eg: scenario ->

The Windows Registry is a collection of databases that contains the system's configuration data. This configuration data can be about the hardware, the software, or the user's information. It also includes data about the recently used files, programs used, or devices connected to the system.
Important terms :

  • HKEY : Windows splits the Registry into categories with the prefix HKEY_. Windows 9x systems have six HKEY categories and Windows 2000 and later have five. Windows programmers refer to the “H” as the handle for the key.
  • Key : Each HKey contains folders or values known as keys
  • Subkey: Key inside another key
  • Branch : Folders inside a key
  • Hive: Specific branches

Registry File Locations

  • No of files in the Registry depends on the Windows version
  • In Windows 9x/Me, it uses only two files : User.dat and system.dat
  • In Windows NT and later, there are 6 .dat files
Filename and Location Purpose of the file
Users\user-account\Ntuser.data User-protected storage area contains list of most recently used files and desktop configuration settings mounted on HKEY_CURRENT_USER when a user logs in
Windows\system32\config\Default.dat Contains computer system settings
Windows\system32\config\SAM.dat Contains user account management and security settings
Windows\system32\config\Security.dat Contains Computer’s security settings
Windows\system32\config\Software.dat Contains installed programs’ settings and associated usernames and passwords
Windows\system32\config\system.dat Contains additional computer system settings
Windows\system32\config\systemprofile Contains additional NTUSER information

Registry hives

The registry on any Windows system contains the following five root keys:

  1. HKEY_CURRENT_USER
  2. HKEY_USERS
  3. HKEY_LOCAL_MACHINE
  4. HKEY_CLASSES_ROOT
  5. HKEY_CURRENT_CONFIG
HKEY Function
Finding passwords in SAM using RID/SID

On Windows systems, user passwords are not stored in plain text in the Security Account Manager (SAM) database. They are stored as NTLM password hashes and are linked to accounts via their SID (Security Identifier), which ends in a RID (Relative Identifier).

  • SAM – Local database file: C:\Windows\System32\Config\SAM
  • SID – Unique identifier for each account
    Example: S-1-5-21-XXXXX-XXXXX-XXXXX-1001
  • RID – Last part of the SID (e.g., 1001)
  • NTLM Hash – Encrypted form of the password stored in SAM

How Password Hashes Relate to RID/SID

  1. Each user account has a SID.
  2. The RID (last part of SID) maps to a user entry in SAM.
  3. The SAM stores the LM/NTLM hashes under that RID.
  4. The hashes are encrypted with the system’s boot key (SYSKEY) from the SYSTEM hive