Windows Registry¶
Windows registries¶
Windows Registries (class notes)¶
Configurations of a particular user (eg: which user was logged in when a pendrive was connected to)
- NTUSER.DAT registries specific to user
Eg: scenario ->
The Windows Registry is a collection of databases that contains the system's configuration data. This configuration data can be about the hardware, the software, or the user's information. It also includes data about the recently used files, programs used, or devices connected to the system.
Important terms :
- HKEY : Windows splits the Registry into categories with the prefix HKEY_. Windows 9x systems have six HKEY categories and Windows 2000 and later have five. Windows programmers refer to the “H” as the handle for the key.
- Key : Each HKey contains folders or values known as keys
- Subkey: Key inside another key
- Branch : Folders inside a key
- Hive: Specific branches
Registry File Locations¶
- No of files in the Registry depends on the Windows version
- In Windows 9x/Me, it uses only two files : User.dat and system.dat
- In Windows NT and later, there are 6 .dat files
| Filename and Location | Purpose of the file |
|---|---|
| Users\user-account\Ntuser.data | User-protected storage area contains list of most recently used files and desktop configuration settings mounted on HKEY_CURRENT_USER when a user logs in |
| Windows\system32\config\Default.dat | Contains computer system settings |
| Windows\system32\config\SAM.dat | Contains user account management and security settings |
| Windows\system32\config\Security.dat | Contains Computer’s security settings |
| Windows\system32\config\Software.dat | Contains installed programs’ settings and associated usernames and passwords |
| Windows\system32\config\system.dat | Contains additional computer system settings |
| Windows\system32\config\systemprofile | Contains additional NTUSER information |
Registry hives¶
The registry on any Windows system contains the following five root keys:
- HKEY_CURRENT_USER
- HKEY_USERS
- HKEY_LOCAL_MACHINE
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_CONFIG
| HKEY | Function |
|---|---|
Finding passwords in SAM using RID/SID¶
On Windows systems, user passwords are not stored in plain text in the Security Account Manager (SAM) database. They are stored as NTLM password hashes and are linked to accounts via their SID (Security Identifier), which ends in a RID (Relative Identifier).
- SAM – Local database file:
C:\Windows\System32\Config\SAM - SID – Unique identifier for each account
Example:S-1-5-21-XXXXX-XXXXX-XXXXX-1001 - RID – Last part of the SID (e.g.,
1001) - NTLM Hash – Encrypted form of the password stored in SAM
How Password Hashes Relate to RID/SID
- Each user account has a SID.
- The RID (last part of SID) maps to a user entry in SAM.
- The SAM stores the LM/NTLM hashes under that RID.
- The hashes are encrypted with the system’s boot key (SYSKEY) from the SYSTEM hive