Accessdata Registry Quick Find Chart 7-22-08

A CCESSDATA SUPPLEMENTAL APPENDIX
Registry Quick Find Chart
Important: At the time of this writing, most of the information contained

in this paper is not published by Microsoft and is based on
personal research. As such, please consider validating these
results prior to relying on them as the basis for any conclusions.
Please keep in mind that, as with all Windows artifact behavior,
the information contained in this paper is subject to change at
any time. In addition to the conditions stated below, there may
be additional user actions that may contribute to these entries.
This appendix reviews common locations in the Windows and Windows

Internet-related registries where you can find data of forensic interest.
• NTUSER.DAT Information on page 2
• SAM Information on page 19
• SECURITY Information on page 21
• SOFTWARE Information on page 21
• SYSTEM Information on page 28
Note: Under the Version column, an “XP” indicates that this information
is found in XP. A “V” references Vista, and a “7” references
Windows 7 in its first release. If no notation is made in the Version
column, it means this was found in XP, but not tested in other
versions.
9-25-10 ©2010 AccessData Group, LLC. All Rights Reserved 1

NTUSER.DAT INFORMATION
2
AccessData Supplemental Appendix

When
Information File Location Description Updated Version
Access 2007 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ MRU list for MS Access Database files When Office 2007
MRU Office\12.0\Access\ Settings (MRU1-MRU9). database is
closed
Access 2007 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Tracks date of last access associated When Office 2007
©2010 AccessData Group, LLC. All Rights Reserved
MRU Dates Office\12.0\Access\Settings with MRU1-9 (MRUDate1- database is

MRUDate9). closed
Access Recent NTUSER.DAT NTUSER.DAT\Software\Microsoft\offic Microsoft Access* recent databases in Immediately Pre Office 2007
Databases e\version\ Common\Open Find\ the “value” value.
Microsoft Office Access\Settings\
File New Database\File Name MRU
Adobe NTUSER.DAT NTUSER.DAT\Software\Adobe\* Lists Adobe products such as

Acrobat* and FrameMaker*.
AIM NTUSER.DAT NTUSER.DAT\Software\America Lists IM contacts, file transfer Immediately

Online\AOL InstantMessenger\ information, etc.
CurrentVersion\Users\ username
AIM Away NTUSER.DAT NTUSER.DAT\Software\America Shows default and customized Away Immediately
Messages Online\AOL Instant Messenger(TM)\ messages.
CurrentVersion\Users\screen name\
IAmGoneList
AIM File NTUSER.DAT NTUSER.DAT\Software\America Shows settings for file transfers and Immediately
Transfers & Online\AOL Instant Messenger\ sharing.
Sharing CurrentVersion\Users\screen name\
Xfer
9-25-10
9-25-10
When
AIM Last User NTUSER.DAT NTUSER.DAT\Software\America Shows the screen name of the last At login
Online\AOL Instant Messenger (TM)\ logged-in user.
CurrentVersion\Login - Screen Name
AIM Profile NTUSER.DAT NTUSER.DAT\Software\America Shows user profile information Immediately

Info Online\AOL Instant Messenger\ (optional).
CurrentVersion\Users\screen
name\DirEntry
AIM Recent NTUSER.DAT NTUSER.DAT\Software\America Shows a list of recently contacted When the
Contacts Online\AOL Instant Messenger\ buddies. application
CurrentVersion\users\ username\ closes.
recent IM ScreenNames
AIM NTUSER.DAT NTUSER.DAT\Software\America Shows registered AIM users on the At sign-on

Registered Online\AOL Instant Messenger\ machine.
Users CurrentVersion\Users
AIM Saved NTUSER.DAT NTUSER.DAT\Software\America Shows the directory path of a saved Immediately
Buddy List Online\AOL Instant Messenger\ Buddy List, a BLT file.
CurrentVersion\Users\username\Config
Transport
Application NTUSER.DAT NTUSER.DAT\Software\%Application This class of registry keys contains the NA

Information Name% information each application stores in
the registry.
Autorun NTUSER.DAT NTUSER.DAT\Software\Microsoft\ 0=Enabled N/A XP, V

USBs, CDs, Windows\ CurrentVersion\Explorer\ 1=Disabled
DVDs AutoplayHandlers / DisableAutoplay
3
4

When
BitLocker To NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Indicates the user-selected Remember Upon 7

Go Windows\CurrentVersion\ a USB setting to bypass entering the selecting,
FveAutoUnlock\<guid> password on this system. recognize the
drive on this
machine
CD Burning NTUSER.DAT NTUSER.DAT\Software\Microsoft\ May show previous CD/DVD volume N/A V, 7

Windows\CurrentVersion\Explorer\ names inserted under Disc Label
CD Burning\Drives\Volume<guid>\ value. Normally, removes volume

Current Media name on dismount.
CD Burning NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Current Media subkey created upon Upon XP

Windows\CurrentVersion\Explorer\ mounting drive. Removed on mounting and
CD Burning\ Current Media / dismount. dismounting
Disc Label
Chat Rooms NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows information for chat rooms Immediately
profiles\screen name\Chat visited or created.
Converted NTUSER.DAT NTUSER.DAT\\Control Panel\Desktop Identifies graphics that are converted Immediately XP, V, 7
Wallpaper to wallpaper.
Converted NTUSER.DAT NTUSER.DAT\\Control Panel\Desktop Identifies date and time of converted Immediately XP, V, 7
Wallpaper wallpaper.
Drives NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Track the GUID from the Immediately XP, V, 7
mounted by Windows\ CurrentVersion\Explorer\ MountedDevices GUID in the
user MountPoints2\<guid> SYSTEM file
9-25-10
9-25-10
When
EFS NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists the current user’s certificate NA XP, V, 7

WindowsNT\CurrentVersion\EFS\ thumbprint. (Each user has a unique
CurrentKeys certificate thumbprint.) The same
certificate thumbprint is contained in
the $EFS alternate data stream for
every EFS file encrypted by the
current user.
Excel 2007 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Saves info about currently opened When Office 2007
Autosave Info Office\12.0\Excel\ Resiliency\ Excel documents. document is

Document Recovery\<id#> opened and
when saves
are made
Excel 2007 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ MRU List for MS Excel spreadsheets When Office 2007
MRU Office\12.0\Excel\ File MRU (Item1-Item50). document is
Note: The 2nd bracketed number is a opened
64-bit date/time stamp of when the
document was opened.
Excel Recent NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Microsoft Excel recent spreadsheets Immediately Pre Office 2007
Spreadsheets office\version\ Common\Open Find\ in the “value” value.
Microsoft Office Excel\Settings\
Save As\File Name MRU
File Extension NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists file extension associations and Immediately XP, V, 7
Associations Windows\ CurrentVersion\Explorer\ files that have been opened with the

FileExts\.EXT Type Open With command.
File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies associated programs with Immediately XP, V, 7

Extensions\ Windows\CurrentVersion\Explorer\ file extensions.
Program FileExts
Association
5
6

When
Folders - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Info on stored folders. Immediately XP

Stream MRUs Windows\ CurrentVersion\
Explorer\StreamMRU
FTP NTUSER.DAT NTUSER.DAT\Software\Microsoft\FTP\ Local FTP accounts. N/A XP, V, 7

Accounts\ <address>
Google Client NTUSER.DAT NTUSER.DAT\Software\Google\ Contains a list of search terms with Immediately
History NavClient\1.1\History date and time stamps if Google is

included in the Internet Explorer task
bar.
ICQ NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\* Lists IM contacts, file transfer NA

information, etc.
ICQ Last User NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\ Shows the last logged-in user. At logon
Owners - LastOwner
ICQ NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\ Nickname of user (optional value). At logon

Nickname Owners\UIN - Name
ICQ NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\ UIN folder is named for the user. At logon
Registered Owners\UIN
Users
IE Auto NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores IE auto logon IDs and Immediately IE6 and below
Logon and Protected Storage System Provider\ passwords with date and time stamp.
password SID\Internet Explorer\Internet
Explorer - URL: StringData
IE Auto– NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores web page auto-complete Immediately IE6 and below
Complete Internet Explorer\IntelliForms passwords. These are encrypted
Passwords values.
9-25-10
9-25-10
When
IE Auto– NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists web pages wherein autocomplete Immediately IE6 and below
Complete Protected Storage System Provider was utilized.
Web
Addresses
IE Cleared NTUSER.DAT NTUSER.DAT\Software\Microsoft\ 0=Off (default) Upon XP, V, 7

Browser Internet Explorer\ Privacy / 1=On changing
History ClearBrowserHistoryOnExit value in GUI
on/off Privacy subkey appears only on first
change by user.
IE Default NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the default download Immediately All

Download Internet Explorer directory when utilizing Internet
Directory Explorer.
IE Favorites NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists favorites from IE Favorites drop N/A XP, V, 7
List Windows\CurrentVersion\Explorer\ down selector.
MenuOrder\ Favorites\
<favoritesfoldername>
IE History NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Mirrors existing history folder storage N/A XP, V, 7
Status Windows\ CurrentVersion\Internet hidden from the user in the history
Settings\ 5.0\Cache\Extensible Cache\ files.
<mshistfoldernames>
IE NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Encrypted user data in Storage1 and IE7 and above
IntelliForms Internet Explorer\ IntelliForms Storage2 (old PSSP info)

IE Search NTUSER.DAT NTUSER.DAT\Software\Miscrosoft\ Stores IE search terms with date and Immediately IE6 and below
Terms Protected Storage System Provider\ time stamp.
SID\Internet Explorer\
Internet Explorer - q:StringIndex
7
8

When
IE Settings NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores IE settings such as start page, Immediately Through IE8
Internet Explorer\ Main save directory, home page, and
download location.
IE Typed NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores data entered into the URL When the Through IE8
URLs Internet Explorer\Typed URLs Address Bar. application
closes
IE URL NTUSER.DAT NTUSER.DAT\Software\Microsoft\ The number of days the system stores Immediately Through IE8
History — Windows\CurrentVersion\Internet URLs visited in IE. The default is 20
Days Saved Settings\URL History - DaysToKeep days.
IE Web Form NTUSER.DAT NTUSER.DAT\Software\Microsoft\Prot Stores form data provided within IE. Immediately IE6 and below
Data ected Storage System Provider\SID\
Internet Explorer\Internet Explorer -
q:StringIndex
IM Contact NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Contains Contact, Allow, Block, and At sign-off

List MessengerService\ListCache\.NET Reverse entries.
Messenger Service
IM File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows if file sharing is turned on. Immediately

Sharing MSNMessenger\FileSharing - Autoshare
IM File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows the location of the Received Immediately

Transfers Messenger Service - FtReceiveFolder Files folder.
IM File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows the location of the Received Immediately

Transfers MSNMessenger\- FTReceiveFolder Files folder.
IM Last User NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Screen name of last logged-in user. At sign-off
MessengerService\ListCache\.NET
Messenger Service - IdentityName
9-25-10
9-25-10
When
IM Logging NTUSER.DAT NTUSER.DAT\Software\Microsoft\MSN Shown if message logging is turned Immediately

Enabled Messenger\PerPass portSettings\ on.
##########\- MessageLoggingEnabled
IM Message NTUSER.DAT NTUSER.DAT\Software\Microsoft\MSN Shows the location of message history Immediately

History Messenger\PerPass portSettings\ files.
##########\- MessageLog Path
IM MSN NTUSER.DAT NTUSER.DAT\Software\Microsoft Contains IM groups, contacts, file Most on

Messenger MessengerService\ ListCache\.NET transfer information, etc. for MSN signoff;

MessngerService\* Messenger. however,
FTReceive is
immediate.
IM Saved NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows the location of a saved Contact Immediately

Contact List Messenger Service - ContactListPath List (CTT) file.
IMV Usage NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows usage of IMVironments. Immediately

IMVironments (global value)
IMVs MRU list NTUSER.DAT SNTUSER.DAT\oftware\Yahoo\Pager\ Shows usage of IMVironments. Immediately

profiles\screen name\IMVironments
(user- specific value)
Jump List on NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows applications pinned to the Upon pinning 7
Taskbar Windows\ CurrentVersion\Explorer\ taskbar. Retains removed applications.
Taskband / Favorites and
FavoritesResolve

Kazaa NTUSER.DAT NTUSER.DAT\Software\Kazaa\* Stores configuration, search, NA
download, IM data, etc. for Kazaa.
Map Network NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Contains a most recently used list of NA XP, V, 7
Drive MRU Windows\CurrentVersion\Explorer\ mapped network drives.
Map Network Drive MRU
9
10

When
Media Player NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Contains the user's most recently used Immediately
Recent List MediaPlayer\Player\ RecentFileList list for Windows Media Player.
MRU—Last NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists the application and filename of Immediately XP, V, 7
Visited Windows\CurrentVersion\Explorer\ the most recent files opened in
ComDlg32\ Windows.
MRU—Open NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists the filename and path of the Immediately XP, V, 7
Saved Windows\ CurrentVersion\Explorer\ most recent files saved or copied to a

ComDlg32\OpenSaveMRU specific location in Windows.
MRU— NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the documents in the Immediately XP, V, 7

Recent Windows\ CurrentVersion\Explorer\ Recent Documents list available from
Documents RecentDocs\ the Windows Start menu.
MRU—Run NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists the most recent commands Immediately XP, V, 7
MRU Windows\CurrentVersion\Explorer\ entered in the Windows Run box.
RunMRU
MRUs - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Last Visited=Application Used Immediately XP, V, 7

Common Windows\ CurrentVersions\Explorer\ OpenSaveMRU=Recent Docs using
Dialog ComDlg32 the Microsoft Save As Dialog Box
MUICache NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Tracks the opening of executable files Immediately V

Windows\Shell\MUICache by the operating system.
Note: In Windows 7, MUICache
moved from NTUSER.DAT to
HKCR\LocalSettings\MuiCache.
MUICache - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Tracks the opening of executable files Immediately XP

XP Windows\ShellNoRoam\MUICache by the operating system
9-25-10
9-25-10
When
Network - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Network connections N/A

Computer Windows\CurrentVersion\Explorer\
Description ComputerDescriptions
Network - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Listed by drive letter Immediately XP, V, 7

Mapped Windows\CurrentVersion\Explorer\
Network Drive Map Network Drive MRU
MRU
Network - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Network connections crawled while N/A

Workgroup Windows\CurrentVersion\Explorer\ connected.
Crawler WorkgroupCrawler\Shares
Outlook NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores Outlook and Outlook Express Immediately

Account Protected Storage SystemProvider\SID\ account passwords.
Passwords Identification\INETCOMM Server
Passwords
Outlook NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Microsoft Outlook recent documents. Immediately

Recent office\version\ Common\Open Find\
Attachments Microsoft Office Outlook\Settings\Save
Attachment\File Name MRU
Outlook NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the location where Immediately

Temporary Office\version\ Outlook\Security attachments are stored when they are
Attachment opened from Outlook.
Directory

Paint MRU NTUSER.DAT NTUSER.DAT\Software\Microsoft\ MRU for MS Paint documents (File1- Upon closing XP, V, 7
Windows\CurrentVersion\Applets\ File9) the
Paint\Recent File List application
11
12

When
POP3 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the current user’s POP3 Immediately XP

Passwords Internet Account Manager\Accounts\ passwords.
0000000# Note: # is a digit identifying that
particular account.
PowerPoint NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Saves info about currently opened When Office 2007
2007 Autosave Office\12.0\ PowerPoint\Resiliency\ PowerPoint documents. document is
Info DocumentRecovery\<id#> opened and

when saves
are made
PowerPoint NTUSER.DAT SNTUSER.DAT\oftware\Microsoft\ MRU List for MS PowerPoint When Office 2007
2007 MRU Office\12.0\ spreadsheets (Item1-Item50). document is
PowerPoint\File MRU Note: The second bracketed number opened
is a 64-bit date/time stamp of when
the document was opened.
PowerPoint— NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Microsoft PowerPoint recent Unknown Pre Office 2007
Recent PPTs office\version\ Common\Open Find\ documents.
Microsoft Office PowerPoint\Settings\
Printer— NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the current default printer. Immediately XP, V, 7
Default WindowsNT\CurrentVersion\Windows
Printer— NTUSER.DAT NTUSER.DAT\\printers Identifies the current default printer. On shutdown XP, V, 7
Default
9-25-10
9-25-10
When
Publisher NTUSER.DAT NTUSER.DAT\Software\Microsoft\ MRU List for MS Publisher When Office 2007
2007 MRU Office\12.0\Publisher\Recent File List documents (File1-File9). document is
opened
Publisher— NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Microsoft Publisher recent Unknown Pre Office 2007
Recent office\version\ Common\Open Find\ documents.
Documents Microsoft Office Publisher\Settings\
Recycle Bin NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Tracks recycle bin info by GUID N/A V, 7
Info Windows\CurrentVersion\Explorer\ (track GUID back to MountedDevices
BitBucket\ Volume\<guid> in the SYSTEM file), Max Capacity in
MB, NukeOnDelete.
0=Bin being used (default)
1= Bin is being bypassed
Regedit - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Displays user selected favorites in Immediately XP, V, 7

Favorites Windows\ CurrentVersion\ Regedit Utility. after entering
Applets\Regedit\ Favorites
Regedit - Last NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Displays last subkey Regedit was on Upon closing XP, V, 7
Key Saved Windows\ CurrentVersion\Applets\ when closed down Regedit.
Regedit / LastKey
Run NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists programs that run automatically NA XP, V, 7

Windows\CurrentVersion\Run when the user logs on.

13
14

When
Screen Saver NTUSER.DAT NTUSER.DAT\Control Panel\Desktop / 1=Active Immediately XP, V, 7

Enabled ScreenSaveActive 0=Disabled
The path/name displays at
SCRNSAVE.EXE.
Note: In Windows 7,
ScreenSaveActive retains a 1 whether
enabled or not, but the path/name
appears on enable and disappears on

disable.
Screen Saver NTUSER.DAT NTUSER.DAT\Control Panel\Desktop / 0=No Password Required Immediately XP, V, 7
Password ScreenSaverIsSecure 1=Password Required if screen saver is
Enabled active
Screen Saver NTUSER.DAT NTUSER.DAT\Control Panel\Desktop / Length of time, in seconds, before the Immediately XP, V, 7
Timeout ScreenSaveTimeOut screen saver becomes active.
Screen Savers NTUSER.DAT NTUSER.DAT\Control Panel\Desktop\ Identifies the system’s screen saver Immediately XP, V, 7
and wallpaper and wallpaper.
ShellBags NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Pointers to link history and other file NA XP

Windows\Shell\ BagMRU and folder information.
Start Menu NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Program listing drawn to the Start N/A XP
Program List Windows\CurrentVersion\Explorer\ button.
MenuOrder\ Programs\<appname>
9-25-10
9-25-10
When
Start Searches NTUSER.DAT NTUSER.DAT\Software\Microsoft\ In Windows 7, traps search terms After hitting 7
entered by Windows\ CurrentVersion\Explorer\ entered by the user in the Start > the enter
user WordWheelQuery Search box. button.
Start Searches NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Searches from the built-in search Immediately XP
entered by SearchAssistant\ ACMru\<5###> engine.
user 5001=Internet Searches 5603=Files
and Folders 5604=Pictures and Music
5647=Computers and People
Startup NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores the applications automatically NA XP, V, 7

Software Windows\ CurrentVersion\Run launched at boot time.
This key is a good place to look for
trojans.
Startup NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores the applications automatically NA XP, V, 7

Software Windows\CurrentVersion\RunOnce launched at boot time.
trojans.
Theme— NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the Desktop theme and Unknown XP, V, 7
Current Windows\CurrentVersion\Themes wallpaper.
Theme
Theme—Last NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the Desktop theme and Immediately XP, V
Theme Windows\CurrentVersion\Themes\ wallpaper.

Last Theme
Type Paths NTUSER.DAT NTUSER.DAT\Software\Microsoft\ User typed (or pasted) paths into Upon hitting 7
into Windows Windows\CurrentVersion\Explorer\ Windows Explorer address bar <Enter>.
Explorer TypedPaths
15
16

When
UserAssist NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Application usage showing last access Immediately XP, V
Windows\ CurrentVersion\Explorer\ and number of launches of
UserAssist\<guid> applications.
Note: GUID 750 is used in versions
2000, XP, and Vista.
UserAssist NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Application usage showing last access Immediately 7

Windows\CurrentVersion\Explorer\ and number of launches of

UserAssist\ <guid> applications.
Note: Change to GUID F4E in
Windows 7 for application launch
info.
Windows NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Sets Windows Explorer preferences. Immediately XP, V, 7

Explorer Windows\ CurrentVersion\Explorer\
Settings Advanced
WinZip - NTUSER.DAT NTUSER.DAT\Software\Nico Mak Path back to accessed Zip archives Immediately 11.1
Accessed Computing\filemenu / filemenu##
Archives
WinZip - NTUSER.DAT NTUSER.DAT\Software\Nico Mak The path to which Zip archives are Immediately 11.1
Extraction Computing\ Extract / extract# extracted.
MRU
WinZip - NTUSER.DAT NTUSER.DAT\Software\Nico Mak Last location to which a Zip archive Immediately 11.1
Location Computing\ Directories / ExtractTo was extracted.
Extracted To
WinZip - NTUSER.DAT NTUSER.DAT\Software\Nico Mak Registered user for installation N/A 11.1
Registered Computing\ WinIni / Name 1
User
9-25-10
9-25-10
When
WinZip - NTUSER.DAT NTUSER.DAT\Software\Nico Mak WinZip temporary file location N/A 11.1
Temp File Computing\ Directories / ZipTemp
WinZip - Zip NTUSER.DAT NTUSER.DAT\Software\Nico Mak Last location from which a Zip file was Immediately 11.1
Creation Computing\ Directories / AddDir created.
Location
WinZip - Zip NTUSER.DAT NTUSER.DAT\Software\Nico Mak Last location to which a Zip file was Immediately 11.1
Creation Computing\ Directories / DefDir created or opened.
Location
Word 2007 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Saves info about currently opened When Office 2007
Autosave Info Office\12.0\Word\ Resiliency\Document Word documents. document is
Recovery\<id#> opened and
when saves
are made
Word 2007 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ MRU List for MS Word documents When Office 2007
MRU Office\12.0\Word\ File MRU (Item1-Item50). document is
Note: The second bracketed number opened
is a 64-bit date/time stamp of when
document was opened.
Word— NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Microsoft Word recent documents in Unknown Pre Office 2007
Recent Docs office\version\ Common\Open Find\ the “value” value.
Microsoft Office\Word\Settings\Save
As\File Name MRU

Word—User NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the user information Unknown Pre Office 2007
Info office\version\ Common\UserInfo entered when installing Microsoft
Office. Note this information may be
modified after installation.
17
18

When
WordPad NTUSER.DAT NTUSER.DAT\Software\Microsoft\ MRU for MS Paint documents (File1- When XP, V, 7
MRU Windows\CurrentVersion\Applets\ File9). document is
Wordpad\Recent File List closed
Yahoo! NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Stores IM contacts, file transfer NA

Profiles\* information, etc. for Yahoo!.
Yahoo! File NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows number of transfers in and out. Immediately
Transfers File Transfer (global value)
Yahoo! File NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\pr Shows settings for file transfers. Immediately
Transfers ofiles\
screen name\FileTransfer (user specific)
Yahoo! NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows alternate user identities. Unknown

Identities profiles\screen name - All Identities,
Selected Identities
Yahoo! Last NTUSER.DAT NTUSER.DAT\Software\Yahoo\ Last logged-in user. Immediately

User Pager - Yahoo! User ID
Yahoo! NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows settings for message archiving. Immediately

Message profiles\screen name\Archive
Archiving
Yahoo! NTUSER.DAT NTUSER.DAT\Software\Yahoo\ Encrypted password. Immediately

Password Pager - EOptions string
Yahoo! NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows recent contacts and which IMV Immediately
Recent profiles\screen name\IMVironments\ was used.
Contacts Recent
Yahoo! Saved NTUSER.DAT NTUSER.DAT\Software\Yahoo\ Shows if the password is saved. Immediately

Password Pager - Save Password
9-25-10
9-25-10
When
Yahoo! Screen NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows registered screen names and Immediately
Names profiles\screen name identities.
Yserver NTUSER.DAT NTUSER.DAT\Software\Yahoo\Yserver Points to a directory location for file NA

transfer information.
SAM INFORMATION
When
Account Expiration SAM SAM\Domains\Account\Users\F Key Bytes 33-40 store the account NA XP, V, 7
expiration. If no expiration is
set, FF FF FF FF shows.
Group Names - SAM SAM\Domains\Account\Aliases\Names List of custom groups by Immediately XP, V, 7

Custom name.
Group Names - Local SAM SAM\Domains\Builtin\Aliases\Names List of local group names. Immediately XP, V, 7
Groups - Custom SAM SAM\Domains\Account\Aliases\<rid> List of custom groups by RID. Immediately XP, V, 7
Groups - Local SAM SAM\Domains\Builtin\Aliases\<rid> Listed of local groups by RID. Immediately XP, V, 7
Home Group SAM SAM\SAM\Domains\Account\Users - N/A 7

Home Group in RID and Names

Last Failed Login SAM SAM\Domains\Account\Users\F Key Bytes 41-48 store the last NA XP, V, 7
unsuccessful logon.
Last Logon Time SAM SAM\Domains\Account\Users\F Key Bytes 9–16 store the last log- NA XP, V, 7
on time.
19
20

When
Last Time Password SAM SAM\Domains\Account\Users\F Key Bytes 25–32 store the last time NA XP, V, 7
Changed the password was changed.
Local Groups SAM SAM\Domains\Builtin\Aliases\Names Lists local account security NA XP, V, 7

identifiers.
Local Users SAM SAM\Domains\Account\Users\Names Lists local account security NA XP, V, 7

identifiers.
Machine SID SAM SAM\Domains\Account / V Last twelve bytes of the V N/A XP, V, 7
Location value.
Password Hint SAM SAM\Domains\Account\Users\<RID>\ Shows a logon password hint V, 7

F_Value\UserPasswordHint if initiated by the user
User Name and SID SAM SAM\Domains\Account\Users\V Key Contains the username and NA XP, V, 7
Note: See “User Name and SID” in SID in hex.
SOFTWARE Information on page 21. You must convert the last
three hex numbers to decimal
to determine the decimal
version of the SID that is used
in the Recycler and System
Volume Information folder.
9-25-10
SECURITY INFORMATION
9-25-10
Information File Location Description When Updated Version
Passwords— SECURITY SECURITY\Policy\Secrets\ CurrVal holds the current N/A XP, 7

Cached DefaultPassword / CurrVal and administrative password and OldVal
Administrative OldVal holds the previous.
Passwords
Passwords— SECURITY SECURITY\Cache / NL$# Default stores up to 10 set in N/A XP

Cached SOFTWARE file.
Domain
Passwords
SOFTWARE INFORMATION
Auto Logon SOFTWARE SOFTWARE\Microsoft\Windows NT\ 1= allow auto logon Immediately XP, V
Set CurrentVersion\Winlogon / 0=disabled
AutoAdminLogon
The value won't exist unless the user
set up autologon.
Auto Logon SOFTWARE SOFTWARE\Microsoft\Windows If autologon is set, the password Immediately XP, V
Set - Password NT\CurrentVersion\ Winlogon / must be present in this value in the
DefaultPassword clear

Class SOFTWARE SOFTWARE\Classes\CLSID Class identifier information, GUIDs N/A XP, V, 7
Identifiers on Applications and processes.
Group SOFTWARE SOFTWARE\Microsoft\Windows\ List of groups with which user is Immediately XP, V, 7
Memberships CurrentVersion\Group Policy\ associated.
GroupMembership
21
22

Home Group SOFTWARE SOFTWARE\Microsoft\Windows\ N/A 7

CurrentVersion\HomeGroup\
SharingPreferences\<sid>
ICQ SOFTWARE SOFTWARE\Mirabilis\ICQ\Owner Stores the User Identification At logon

Information Number (UIN).
Indexed SOFTWARE SOFTWARE\Microsoft\Window Search\ Reports the folders currently being Upon adding a V, 7
Folders CrawlScopeManager\ Windows\ indexed for the Search utility. folder.
SystemIndex\ WorkingSetRules\<#>
Install Date SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Lists the date the operating system NA XP, V, 7
CurrentVersion was installed.
Installed SOFTWARE SOFTWARE\Microsoft\Windows\ List of installed applications to use N/A XP, V, 7

Application CurrentVersion\ Uninstall for uninstall.
List
Installed SOFTWARE SOFTWARE\Wow6432Node\ List of installed 32-bit applications. N/A 7

Application <appname>
List
Installed SOFTWARE SOFTWARE\Wow6432Node\Microsoft\ List of executables for installed N/A 7

Application Windows\CurrentVersion\ SharedDLLs applications.
List
Installed SOFTWARE SOFTWARE\Microsoft\Windows\ Installed list of applications N/A XP, V, 7

Application CurrentVersion\ App Paths\<appname>
List
Installed SOFTWARE SOFTWARE\Clients\StartMenuInternet List of installed Internet browsers. N/A XP, V, 7

Internet \ <appname>
Browsers
9-25-10
9-25-10
Installed SOFTWARE SOFTWARE\Clients\StartMenuInternet Default installed Internet browser N/A

Internet / default
Browsers -
Default
Browser
Last Logged SOFTWARE SOFTWARE\Microsoft\Windows\ Displays the user name of the last N/A V, 7
on User CurrentVersion\Authentication\ logged on user, computer name,
LogonUI and date/time of last logon in the
key last modified date/time stamp.
If the shutdown is normal, the

subkey is modified to logoff time.
Last User SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Lists the last user that logged in to NA
Logged In CurrentVersion\Winlogon the system. This can be local or
domain account.
Libraries SOFTWARE SOFTWARE\Microsoft\Windows Upon creation 7

Search\Gather\Windows\SystemIndex\
StartPages\<#>
Logon SOFTWARE SOFTWARE\\Microsoft\Windows\ Contains the banner that appears at NA

Banner CurrentVersion\Policies\System\ boot time. Users must click through
Message LegalNoticeText the log-on banner to log on to a
system.
Logon SOFTWARE SOFTWARE\\Microsoft\Windows\ Contains user-defined data. NA

Banner CurrentVersion\Policies\System\

Message LegalNoticeText
Logon SOFTWARE SOFTWARE\\Microsoft\Windows\ Contains user-defined data. NA

Banner Title CurrentVersion\Policies\System\
LegalNoticeCaption
23
24

Logon Info— SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Identifies the default user and the NA
Default User CurrentVersion\Winlogon associated domain name.
and Domain
Name
Logon Info— SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Contains legal notices that appear at NA
Legal Notices CurrentVersion\Winlogon boot time. Users must click through
on Bootup the log-on banner to log on to a
system.
Network SOFTWARE SOFTWARE\Microsoft\Windows NT\ Lists installed network cards. The N/A XP, V, 7
Cards CurrentVersion\ NetworkCards\# value can match up to the GUID
stored in the SYSTEM file at
SYSTEM\ControlSet###\Services\tcp
ip\Parameters\Interfaces\<guid>.
O\S Version SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Identifies the currently installed OS NA XP, V, 7
CurrentVersion version and service pack release.
Password Hint SOFTWARE SOFTWARE\Microsoft\Windows\ XP Password hint storage location. Immediately XP

XP CurrentVersion\Hints\<username>
Passwords— SOFTWARE SOFTWARE\Microsoft\Windows NT\ Control of max passwords stored in N/A XP

Cached CurrentVersion\Winlogon the cached passwords in SECURITY
Logon file.
Password
Maximum
Printer SOFTWARE SOFTWARE\Microsoft\Windows NT\ Detailed printer information, N/A XP, V, 7

Properties for CurrentVersion\Print\Printers\ including user-entered properties
Installed <printername> from Control Panel.
Printers
Product ID SOFTWARE SOFTWARE\Microsoft\Windows NT\ Lists the Windows OS product key. NA XP, V, 7
9-25-10
CurrentVersion
9-25-10
Product SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Lists the name of the operating NA XP, V, 7
Name CurrentVersion system.
Profile list SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Contains the user security identifier NA XP, V, 7
CurrentVersion\ProfileList for users with a profile on the
system.
ReadyBoost SOFTWARE SOFTWARE\Microsoft\Windows NT\ List of attached USB devices for N/A V, 7
Attachments CurrentVersion\ EMDMgmt\<driveid> ReadyBoost utility.
Recycle Bin SOFTWARE SOFTWARE\Microsoft\Windows\ Windows XP Recycler info by drive N/A XP

Info - XP CurrentVersion\Explorer\BitBucket\ letter, Max Capacity in MB,
<driveletter> NukeOnDelete
0=Bin being used (default)
1= Bin is being bypassed
Registered SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Identifies the registered NA XP, V, 7

Organization CurrentVersion organization entered during
installation. Note this information
may be modified after installation.
Registered SOFTWARE SOFTWARE\\Microsoft\Windows NT\ Identifies the registered owner NA XP, V, 7

Owner CurrentVersion entered during installation. Note
this information may be modified
after installation.
Restore Point SOFTWARE SOFTWARE\Microsoft\Windows NT\ System Restore parameters N/A XP

Information CurrentVersion\ SystemRestore

Restricted SOFTWARE SOFTWARE\\Microsoft\WindowsNT\ Lists allocated CD-ROMS and NA XP
Access to CurrentVersion\ Winlogon floppies that are set to 0 (restricted).
Removable
Media
25
26

Run SOFTWARE SOFTWARE\Microsoft\Windows\ Lists programs that run NA XP, V, 7

CurrentVersion\ Run automatically when the system
boots.
Startup SOFTWARE SOFTWARE\Microsoft\Command The AutoRun runs any application N/A

Location Processor / AutoRun noted when cmd.exe is run.
Startup SOFTWARE SOFTWARE\Microsoft\Windows NT\ Applications to start on bootup. N/A

Location CurrentVersion\Winlogon/Userinit
Startup SOFTWARE SOFTWARE\Microsoft\Windows\ Stores the applications automatically NA XP, V, 7

Software CurrentVersion\Run launched at boot time.
trojans.
Startup SOFTWARE SOFTWARE\\Microsoft\Windows\ Stores the applications automatically NA XP, V, 7

Software CurrentVersion\ RunOnce launched at boot time.
trojans.
System SOFTWARE SOFTWARE\Microsoft\WindowsNT\ System Restore settings and info V, 7

Restore Info CurrentVersion\ SystemRestore
Time SOFTWARE SOFTWARE\Microsoft\Windows\ N/A XP, V, 7

Synchronizati CurrentVersion\ DateTime\Servers
on with
Internet -
Servers
Turn off UAC SOFTWARE SOFTWARE\Microsoft\Widows\ Turn off the prompts to Continue V, 7
Behavior CurrentVersion\Policies\System\ when running a program needing
ConsentPromptBehaviorAdmin Value elevated rights. Turns off Cancel or
Allow. 0 is off, 2 is on (Default)
9-25-10
9-25-10
UAC – On or SOFTWARE SOFTWARE\Microsoft\Windows\ Identifies whether the UAC is on or V, 7

Off CurrentVersion\Policies\System\ off. By default it is on: value 1. If off:
EnableLUA_Value value 0
USB ID linked SOFTWARE SOFTWARE\Microsoft\WindowsNT\ Tracks USB keys by identifier and by V, 7

to Volume CurrentVersion\EMDMgmt volume serial number. Date and
Serial time if tested to be used as cache is
Number stored along with USB size
User Account SOFTWARE SOFTWARE\Microsoft\Windows\ UAC status Upon changing V, 7

Control CurrentVersion\Policies\System 1=Enabled

0=Not Enabled
User Name SOFTWARE SOFTWARE\Microsoft\WindowsNT\ Contains the username and SID in NA XP, V, 7
and SID CurrentVersion\ ProfileList\ hex.
Note: See “User Name and SID” in You must convert the last three hex
SAM Information on page 19. numbers to decimal to determine
the decimal version of the SID that
is used in the Recycler and System
Volume Information folder.
WinZip SOFTWARE SOFTWARE\Nico Mak Computing Contains WinZip information. XP, V, 7

Information
Wireless Vista, SOFTWARE SOFTWARE\Microsoft\Windows NT\ Each GUID is a connection. N/A V, 7

Windows 7 CurrentVersion\ NetworkList\Profiles\
<guid>

Wireless Vista, SOFTWARE SOFTWARE\Microsoft\Windows NT\ Managed tracks hardwired N/A V, 7
Windows 7 CurrentVersion\ NetworkList\ connections,
Signatures\Managed Unmanaged tracks wireless
(or Unmanaged)\<guid> connections.
27
28

Wireless XP SOFTWARE SOFTWARE\Microsoft\WZCSVC\ SSIDs are located in the Static# Immediately XP

Parameters\Interfaces\{0E271E68-9033- values followed by 4 digits.
4A25-9883-A020B191B3C1} /
Static#####
Wireless XP SOFTWARE SOFTWARE\Microsoft\EAPOL\ SSIDs are located in the decimal N/A XP

Parameters\Interfaces\{0E271E68-9033- number values.
4A25-9883-A020B191B3C1} / #
SYSTEM INFORMATION
$MFT Zone SYSTEM SYSTEM\ControlSet###\Control\ Values 1-4: N/A XP, V, 7

Definition FileSystem / NtfsMftZoneReservation 1=12.5%
2=25%
3=37.5%
4=50%
These values are defined according to
Microsoft; however, values of 0 are
common defaults and may be the
same as a 1.
Automatic SYSTEM SYSTEM\ControlSet###\Control\ 0 Default – On V, 7

time zone TimeZoneInformation\ 1 Disabled
adjustment DynamicDaylightTimeDisabled Value
Clearing Page SYSTEM SYSTEM\ControlSet###\Control\ 0=Off (default) N/A XP, V, 7

File at Session Manager\Memory 1=On
Shutdown Management /
9-25-10
ClearPageFileAtShutdown
9-25-10
Computer SYSTEM SYSTEM\ControlSet###\Control\ Identifies the computer’s name NA XP, V, 7

Name ComputerName\ComputerName defined in System Properties.
Current SYSTEM SYSTEM\Select Identifies which control set is current. NA XP, V, 7

Control Set
Current SYSTEM SYSTEM\Select\Current Contains information about the NA XP, V, 7

Control Set system’s configuration settings.
Display SYSTEM SYSTEM\ControlSet###\Enum\ Monitor settings N/A XP, V, 7

Display
DLLs Loaded SYSTEM SYSTEM\ControlSet###\Control\ Listing of implicitly loaded DLL files

at Bootup SessionManager\KnownDLLs at startup.
Dynamic Disk SYSTEM SYSTEM\\ControlSetXXX\Services\ Identifies the most recent dynamic NA XP, V, 7
DMIO\Boot Info\Primary Disk Group disk mounted in the system.
Event Log SYSTEM SYSTEM\ControlSet###\Services\ Identifies who can read your event NA XP, V, 7
Restrictions EventLog\ Application logs. A value of 1 restricts access; 0
permits access for guest and mull
users.
Event Logs SYSTEM SYSTEM\ControlSetXXX\Services\ Identifies the location of Event logs. NA XP, V, 7
Eventlog
Firewall SYSTEM SYSTEM\ControlSet###\Services\ 0=Off Immediately XP, V, 7

Enabled SharedAccess\ Parameters\ 1=On (default)

FirewallPolicy\ StandardProfile /
EnableProfile
Floppy Disk SYSTEM SYSTEM\ControlSet###\Enum\FDC\ Floppy disk controller info. N/A XP, V, 7
Information <device>
Home Group SYSTEM SYSTEM\ControlSet###\services\ N/A 7

HomeGroupProvider\ServiceData
29
30

Human SYSTEM SYSTEM\ControlSet###\Enum\HID Includes keyboards, mice, trackballs, N/A XP, V, 7

Interface etc.
Devices
IDE Device SYSTEM SYSTEM\ControlSet###\Enum\IDE\ HDD, CD, DVD, and other attached N/A XP, V, 7
Information <device> hardware.
Last Accessed SYSTEM SYSTEM\ControlSet###\Control\ 0 On XP, V, 7

Date and FileSystem\NtfsDisableLastAccessUpdate
1 Default - Disabled
Time setting Value
LPT Device SYSTEM SYSTEM\ControlSet###\Enum\ Parallel printer information to LPT N/A XP, V, 7
Information LPTENUM\ <device> port.
Memory SYSTEM SYSTEM\ControlSet###\Control\ Shows path to crash dump memory N/A XP, V, 7
Saved During CrashControl / DumpFile capture.
Crash
Memory SYSTEM SYSTEM\ControlSet###\Control\ 0=None N/A XP, V, 7

Saved During CrashControl / CrashDumpEnabled 1=Complete
Crash
Enabled 2=Kernel Memory Dump
3=Small Memory Dump (64k)
Mounted SYSTEM SYSTEM\MountedDevices Lists current and prior mounted Immediately XP, V, 7
Devices devices that use a drive letter.
Mounted SYSTEM SYSTEM\MountedDevices\ Change: Now using USB ID and not

Devices ParentIDPrefix
Network SYSTEM SYSTEM\ControlSet###\Services\ GUID matches the network card N/A XP, V, 7
Cards tcpip\Parameters\Interfaces\<guid> GUIDs at Microsoft\Windows NT\
CurrentVersion\NetworkCards\#.
9-25-10
Number of SYSTEM SYSTEM\ControlSet###\Control\ The value stored in this value name is N/A XP, V, 7
Processors in Session Manager\Environment / the number of processors on the
System NUMBER_OF_PROCESSORS system.
9-25-10
Pagefile SYSTEM SYSTEM\ControlSetXXX\Control\ Contains the page file settings such as View updates XP, V, 7
Session Manager\Memory location, size, set to wipe, etc. immediately;
Management however, not
effective until
reboot.
PCI Bus SYSTEM SYSTEM\ControlSet###\Enum\PCI PCI bus device information N/A XP, V, 7
Device
Information
PDA SYSTEM SYSTEM\ControlSet###\Enum\USB Contains PDA information. NA

Information
Prefetch SYSTEM SYSTEM\ControlSet###\Control\ 0=Prefetch disabled N/A XP, V, 7

Session Manager\Memory 1=Applications Only
Management\PrefetchParameters /
EnablePrefetcher 2=Boot Only
3=Application and Boot Prefetcher
Printer SYSTEM SYSTEM\ControlSet###\Control\Print Contains information about the Immediately XP, V, 7

Information \Environments\WindowsNTx86\ current printer.
Drivers\Version…
Printers— SYSTEM SYSTEM\ControlSet###\Control\Print Lists all printers that are configured Immediately XP, V, 7
Currently \Printers on the current system.
Defined
Remote SYSTEM SYSTEM\ControlSet###\Control\ fDenyTSConnections=1 Remote Immediately XP, V

Desktop Terminal Server / Desktop Off upon change
fDenyTSConnections fDenyTSConnections=0 Remote
Desktop On
SCSI Device SYSTEM SYSTEM\ControlSet###\Enum\SCSI SCSI device settings; includes VHD N/A XP, V, 7
Information device info.
31
32

Serial Port SYSTEM SYSTEM\ControlSet###\Enum\ Serial port device settings N/A XP, V, 7
Device SERENUM
Information
Services SYSTEM SYSTEM\ControlSet###\Services List of services. N/A XP, V, 7
Shared SYSTEM SYSTEM\ControlSet###\Services\ List of shared folders on system. Immediately XP

Folders lanmanserver\ Shares / <shared
folder name>
Shutdown SYSTEM SYSTEM\ControlSetXXX\Control\ Lists the system shutdown time. NA XP, V, 7

Time Windows Note: Removed
in Vista first
release and
returned in
service pack
Startup SYSTEM SYSTEM\ControlSet###\Control\ Software startup location. N/A XP, V, 7

Location SessionManager\BootExecute Note: This has not been tested in
Windows 7
Storage - SYSTEM SYSTEM\ControlSet###\Control\ Stores information on storage media, Immediately XP, V, 7

Volumes and Enum\Volume\<guid> including beginning volume offset
Removable and size.
Media
Storage - SYSTEM SYSTEM\ControlSet###\Control\ Stores information on removable Immediately XP, V, 7

Volumes and Enum\ RemovableMedia\<guid> media.
Removable
Media
Storage SYSTEM SYSTEM\ControlSet###\Enum\ HDD info including partition sizes N/A XP, V, 7
Device STORAGE
9-25-10
Information
9-25-10
TCP\IP data SYSTEM SYSTEM\ControlSetXXX\Services\ Lists the current system’s domain and NA XP, V, 7
TCPIP\ Parameters hostname data.
TCP\IP SYSTEM SYSTEM\ControlSetXXX\Services\ Lists the current system’s IP address Immediately XP, V, 7
Settings of a adapter\ Parameters\TCPIP and gateway information.
Network
Adapter
Time SYSTEM SYSTEM\ControlSet###\Services\ NoSynch=Disabled NTP=Enabled Immediately XP, V, 7

Synchronizati W32Time\ Parameters / Type
on with
Internet -
Enabled
Time SYSTEM SYSTEM\ControlSet###\Services\ Shows current time provider (or if Immediately XP, V, 7
Synchronizati W32Time\ Parameters / NtpServer disabled, the last time provider) - NTP
on with is time.windows.com (default -
Internet - Microsoft) or time.nist.gov
Type
Time Zone SYSTEM SYSTEM\ControlSet001(or002)\ Identifies the time zone entered Immediately XP, V, 7
Control\TimeZoneInformation\ during installation. Note this
StandardName information may be modified after
installation.
USB Devices SYSTEM SYSTEM\Enum\USBSTOR Lists the system’s USB devices. Immediately XP, V, 7
USB Tracking SYSTEM SYSTEM\ControlSet###\Enum\ Change: Now using USB ID and not V, 7

USBSTOR ParentIDPrefix
Write Block SYSTEM SYSTEM\ControlSet###\Control\ 0=Disabled N/A XP SP2, V, 7

USB Devices torageDevicePolicies / Write Protect 1=Enabled
Note: This began with Windows XP
Service Pack 2.
33
34 ©2010 AccessData Group, LLC. All Rights Reserved 9-25-10

Accessdata Registry Quick Find Chart 7-22-08

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Accessdata Registry Quick Find Chart 7-22-08

Caricato da

Copyright:

Formati disponibili

A CCESSDATA SUPPLEMENTAL APPENDIX

Registry Quick Find Chart

Important: At the time of this writing, most of the information contained

This appendix reviews common locations in the Windows and Windows

9-25-10 ©2010 AccessData Group, LLC. All Rights Reserved 1

AccessData Supplemental Appendix

MRU Dates Office\12.0\Access\Settings with MRU1-9 (MRUDate1- database is

Adobe NTUSER.DAT NTUSER.DAT\Software\Adobe\* Lists Adobe products such as

AIM NTUSER.DAT NTUSER.DAT\Software\America Lists IM contacts, file transfer Immediately

AIM Profile NTUSER.DAT NTUSER.DAT\Software\America Shows user profile information Immediately

AIM NTUSER.DAT NTUSER.DAT\Software\America Shows registered AIM users on the At sign-on

Application NTUSER.DAT NTUSER.DAT\Software\%Application This class of registry keys contains the NA

Autorun NTUSER.DAT NTUSER.DAT\Software\Microsoft\ 0=Enabled N/A XP, V

Registry Quick Find Chart

AccessData Supplemental Appendix

BitLocker To NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Indicates the user-selected Remember Upon 7

CD Burning NTUSER.DAT NTUSER.DAT\Software\Microsoft\ May show previous CD/DVD volume N/A V, 7

CD Burning\Drives\Volume<guid>\ value. Normally, removes volume

CD Burning NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Current Media subkey created upon Upon XP

EFS NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Lists the current user’s certificate NA XP, V, 7

Autosave Info Office\12.0\Excel\ Resiliency\ Excel documents. document is

Registry Quick Find Chart

File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies associated programs with Immediately XP, V, 7

AccessData Supplemental Appendix

Folders - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Info on stored folders. Immediately XP

FTP NTUSER.DAT NTUSER.DAT\Software\Microsoft\FTP\ Local FTP accounts. N/A XP, V, 7

History NavClient\1.1\History date and time stamps if Google is

ICQ NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\* Lists IM contacts, file transfer NA

ICQ NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\ Nickname of user (optional value). At logon

IE Cleared NTUSER.DAT NTUSER.DAT\Software\Microsoft\ 0=Off (default) Upon XP, V, 7

IE Default NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the default download Immediately All

Registry Quick Find Chart

AccessData Supplemental Appendix

IM Contact NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Contains Contact, Allow, Block, and At sign-off

IM File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows if file sharing is turned on. Immediately

IM File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows the location of the Received Immediately

IM File NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows the location of the Received Immediately

IM Logging NTUSER.DAT NTUSER.DAT\Software\Microsoft\MSN Shown if message logging is turned Immediately

IM Message NTUSER.DAT NTUSER.DAT\Software\Microsoft\MSN Shows the location of message history Immediately

IM MSN NTUSER.DAT NTUSER.DAT\Software\Microsoft Contains IM groups, contacts, file Most on

Messenger MessengerService\ ListCache\.NET transfer information, etc. for MSN signoff;

IM Saved NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Shows the location of a saved Contact Immediately

IMV Usage NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\ Shows usage of IMVironments. Immediately

IMVs MRU list NTUSER.DAT SNTUSER.DAT\oftware\Yahoo\Pager\ Shows usage of IMVironments. Immediately

Registry Quick Find Chart

AccessData Supplemental Appendix

Saved Windows\ CurrentVersion\Explorer\ most recent files saved or copied to a

MRU— NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the documents in the Immediately XP, V, 7

MRUs - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Last Visited=Application Used Immediately XP, V, 7

MUICache NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Tracks the opening of executable files Immediately V

MUICache - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Tracks the opening of executable files Immediately XP

Network - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Network connections N/A

Network - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Listed by drive letter Immediately XP, V, 7

Network - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Network connections crawled while N/A

Outlook NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Stores Outlook and Outlook Express Immediately

Outlook NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Microsoft Outlook recent documents. Immediately

Outlook NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the location where Immediately

Registry Quick Find Chart

AccessData Supplemental Appendix

POP3 NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Identifies the current user’s POP3 Immediately XP

Info DocumentRecovery\<id#> opened and

Regedit - NTUSER.DAT NTUSER.DAT\Software\Microsoft\ Displays user selected favorites in Immediately XP, V, 7