Blog
Practitioner notes on Windows registry forensics, hive parsing, and DFIR.
- Amcache.hve forensics: the RegRipper amcache plugin
What Amcache.hve records — SHA-1 hashes, PE metadata, first-seen times — where the hive lives, and how the RegRipper amcache plugin parses InventoryApplicationFile.
- AppCompatCache (Shimcache): the RegRipper appcompatcache plugin
What AppCompatCache records, why Shimcache is not proof of execution, the ControlSet gotcha, and how the RegRipper appcompatcache plugin parses it.
- AppInit_DLLs and AppCertDLLs: the RegRipper appinitdlls plugin
Two registry DLL-injection persistence vectors, why modern Windows neuters AppInit_DLLs, and how the RegRipper appinitdlls/appcertdlls plugins surface them.
- Application MRUs: Adobe, 7-Zip, WinRAR and MMC history in the registry
How individual applications keep their own recent-files history in the registry — Adobe Reader, 7-Zip, WinRAR, MMC — and why these MRUs catch file access RecentDocs misses.
- Detecting T1003.002: SAM credential-dumping activity
Why the SAM hive is a credential-access target, why dumping needs the SYSTEM bootkey, and how defenders detect and investigate SAM access — no offensive steps.
- Detecting T1112: Modify Registry, fileless storage and tampering
How ATT&CK T1112 abuses the registry to evade defenses and hide payloads, and how to detect tampering via LastWrite times, anomalous values and deleted-cell recovery.
- Detecting T1543.003: malicious Windows service persistence
How ATT&CK T1543.003 abuses SYSTEM\Services for persistence — new services, ServiceDll swaps, ImagePath changes — and how to detect them in the registry.
- Detecting T1546: event-triggered execution in the registry
The registry sub-techniques of ATT&CK T1546 — IFEO debuggers, AppInit DLLs, shims, netsh helpers, COM hijacks — their key paths, and how to detect each.
- Detecting T1547.001: registry Run-key persistence
Where ATT&CK T1547.001 Run-key persistence lives in the registry, what a clean baseline looks like, and how to hunt malicious autostart entries across HKCU and HKLM.
- Detecting T1562.001: defense tampering in the registry
The registry keys ATT&CK T1562.001 abuses to disable Defender, the Event Log, UAC and security tools — and how to detect this high-signal tampering.
- Detecting T1564.001: hidden registry keys and values
How adversaries hide registry artifacts with NULL-embedded key names and tool blind spots, why RegEdit misses them, and how a raw-hive parser surfaces them.
- Detecting T1574: hijack execution flow via the registry
How ATT&CK T1574 hijacks execution through the registry — COM CLSID overrides, DLL search order, App Paths, file-association handlers — and how to detect each.
- BAM and DAM: the RegRipper bam plugin for execution + attribution
Background Activity Moderator records the last run time of executables per user SID. How the bam/dam keys are laid out and how the RegRipper bam plugin parses them.
- The best Windows Registry forensics tools in 2026
A practitioner's roundup of the best Windows Registry forensics tools — RegRipper, Registry Explorer, RECmd, the EZ parsers, yarp/regipy, and browser-based options — by use case.
- Paired Bluetooth devices: the RegRipper bthport plugin
How BTHPORT records every Bluetooth device paired to a machine — MAC, friendly name, last-seen times — and how the RegRipper bthport plugin turns it into proximity evidence.
- Open/Save dialog history: the RegRipper comdlg32 plugin
How ComDlg32 OpenSavePidlMRU and LastVisitedPidlMRU record files opened and saved through Windows common dialogs, and how the RegRipper comdlg32 plugin parses the PIDLs.
- CurrentControlSet is a lie: control sets and the Select key
Why CurrentControlSet does not exist in an offline SYSTEM hive, how the Select key maps to ControlSet001/002, and how to resolve the right control set in analysis.
- Windows Defender forensics: exclusions and status in the registry
How the registry records Defender exclusions and disable settings, why attacker-added exclusions are a high-signal IOC, and how to read Defender's real protection state.
- FeatureUsage taskbar telemetry: the RegRipper featureusage plugin
How the Windows 10+ FeatureUsage keys count taskbar app launches and switches per user, what AppLaunch/AppSwitched mean, and how the RegRipper featureusage plugin reads them.
- File-association defaults and hijacks: the FileExts UserChoice key
How the FileExts UserChoice key records the per-user default handler for each file type, the UserChoice hash, and how to spot a hijacked file association.
- Hive bins and cells: how a registry hive is allocated on disk
How registry hives store data in 4 KB hbins and variable cells, why the signed cell-size field marks free space, and how that makes deleted keys recoverable.
- Loading and mounting registry hives: from boot to RegLoadKey
Which hives Windows loads at boot, how user hives mount at logon, how RegLoadKey mounts arbitrary hives, and what that means for acquiring and analyzing the registry.
- Installed software and the Uninstall keys: the RegRipper uninstall plugin
How the SOFTWARE hive records installed programs, why you must read both Uninstall and WOW6432Node, what InstallDate vs LastWrite tells you, and how the RegRipper uninstall plugin reads them.
- Jump List forensics in the registry: the jumplistdata plugin
How the ProgramsCache value records taskbar and Start-menu Jump List data, how it complements the AutomaticDestinations files, and how the RegRipper jumplistdata plugin reads it.
- The Key Control Block: how the kernel caches the registry
How the Windows Configuration Manager turns on-disk hive cells into live keys via Key Control Blocks, the KCB hash table, and why none of it survives in a hive file.
- LSA Secrets in the SECURITY hive: the RegRipper lsasecrets plugin
What the names and timestamps of LSA secrets reveal to an investigator — autologon, service accounts, cached creds — and how the RegRipper lsasecrets plugin enumerates them.
- MountPoints2 and MountedDevices: the RegRipper mountpoints2 plugin
How MountPoints2 ties a USB volume to a specific user account, how MountedDevices maps drive letters to disk signatures, and how the RegRipper mountpoints2 plugin reads them.
- MUICache as an execution artifact: the RegRipper muicache plugin
What MUICache records when the shell runs a binary, why it survives deletion by path, its lack of timestamps, and how the RegRipper muicache plugin parses it.
- Network connection history: the RegRipper networklist plugin
How the SOFTWARE hive records every network the machine joined, the SYSTEMTIME first/last-connected blobs, gateway MACs, and how the RegRipper networklist plugin parses them.
- The nk record: how the registry stores a key (and its last-write time)
Inside the nk key-node cell — flags, the LastWritten FILETIME, parent and subkey/value-list offsets, and the key name — and why the nk timestamp matters in DFIR.
- Microsoft Office forensics in the registry: File MRU and Trust Records
How the registry records recently opened Office files with timestamps and which documents the user enabled macros for — a key artifact for malicious-document cases.
- PowerShell forensics in the registry: logging and execution policy
How the registry records PowerShell ScriptBlockLogging, module logging, transcription and execution policy — and why the logging posture decides what evidence you'll find.
- Mapping SIDs to users: the RegRipper profilelist plugin
How ProfileList ties every SID on the system to a username and profile path, the well-known SIDs, the .bak profile tell, and how the RegRipper profilelist plugin reads it.
- PuTTY and WinSCP saved sessions: the RegRipper putty plugin
How PuTTY and WinSCP store saved hosts, usernames, and SSH host keys in NTUSER.DAT, why SshHostKeys proves a real connection, and how the RegRipper putty/winscp plugins read them.
- RDP forensics in the registry: client history, Terminal Services and NLA
How the registry records outbound RDP connections (Terminal Server Client), inbound RDP configuration and NLA settings — and what each reveals about lateral movement and exposure.
- RecentApps execution history: the RegRipper recentapps plugin
How the Windows 10 RecentApps keys record per-user app launch counts and last-run FILETIMEs, the RecentItems document links, and how the RegRipper recentapps plugin parses them.
- RecentDocs and MRUListEx: the RegRipper recentdocs plugin
How RecentDocs tracks files a user opened, how the MRUListEx blob encodes recency order, and how the RegRipper recentdocs plugin decodes it for file-access timelines.
- The regf base block: inside the Windows registry hive header
The regf hive header field by field — signature, sequence numbers, root cell, checksum — and why a parser must validate the base block before trusting a hive.
- Investigating account compromise with the registry
How the SAM, ProfileList and LSA secrets reveal which local accounts exist, which were used, and whether autologon or rogue accounts were configured.
- Registry forensics for insider data theft
How USBSTOR, MountPoints2, ShellBags, RecentDocs and saved transfer sessions reconstruct what an insider accessed and copied — with per-user attribution.
- Tracing lateral movement through the registry
How RDP client history, saved SSH sessions, mapped drives and TypedPaths reveal which remote hosts a machine reached during lateral movement, and how to correlate them.
- A registry persistence triage workflow for malware
A prioritized checklist for the registry autostart surface — Run keys, services, tasks, Winlogon, IFEO, AppInit — with the anomaly signals that separate malware from noise.
- Registry forensics in a ransomware investigation
Which Windows Registry artifacts answer how ransomware entered, executed, persisted and disabled defenses — and the order to work them across SYSTEM, SOFTWARE and NTUSER.
- Building a USB exfiltration timeline from the registry
How to chain USBSTOR, MountedDevices, MountPoints2 and ShellBags into a USB-device timeline — which device, when, which user, and what they browsed.
- Why parsing a registry hive safely is hard: the attack surface
A defensive look at why loading untrusted registry hives is dangerous — the bug classes a struct-based on-disk format invites, and the robustness rules every parser needs.
- Big-data records: how the registry stores values larger than 16 KB
How registry values too big for one cell are split across db big-data records and segment cells, and why a parser that ignores them silently truncates data.
- Registry forensics by investigation: artifact playbooks
Investigation-led playbooks for Windows Registry forensics — which artifacts answer ransomware, insider theft, USB exfiltration, lateral movement, persistence and account-compromise cases.
- Stable, volatile and linked: the Windows registry hive layout
How Windows assembles the registry from on-disk and volatile hives, how HKEY_* handles map onto them, and why volatile keys never appear in a dead-box image.
- Registry key last write time, explained
What the registry's per-key LastWrite timestamp means, what updates it, what it can't tell you, and the mistakes analysts make reading it.
- MITRE ATT&CK and the Windows Registry: a detection map
A map of the MITRE ATT&CK techniques that live in the Windows Registry — Run keys, services, IFEO, SAM dumping, defense tampering — with the keys to watch and how to detect each.
- Registry transaction logs: recovering a dirty hive
How the sequence numbers and .LOG1/.LOG2 files let Windows recover an unflushed hive, why forensic tools must replay them, and why you must always grab the logs.
- Registry value types on disk: REG_SZ, REG_DWORD and the parsing traps
How each REG_* value type is stored at the byte level, why registry strings are not always NUL-terminated, and why the stored type cannot be trusted to match the data.
- RegRipper plugins: the registry artifact reference
A reference to the RegRipper plugins that matter in DFIR — what each one parses, the registry keys behind it, and deep-dives on UserAssist, Shimcache, Amcache, BAM, USBSTOR and more.
- RegRipper vs Registry Explorer vs RECmd: an honest comparison
How RegRipper, Registry Explorer and RECmd compare on interface, automation, transaction-log handling and recovery — and where a browser-based parser fits in.
- Local accounts from the SAM hive: the RegRipper samparse plugin
How the SAM hive stores local users in the F and V binary values — login counts, password-set times, account flags, RIDs — and how the RegRipper samparse plugin decodes them.
- Windows services as persistence: the RegRipper services plugin
How the SYSTEM hive stores every service, what Start/Type/ImagePath/ServiceDll mean, and how the RegRipper services plugin surfaces persistence and service hijacks.
- The sk record: how the registry stores key security descriptors
Inside the sk security cell — the shared, reference-counted security descriptors that hold each registry key's ACL, and what they reveal in an investigation.
- Subkey lists: the lf, lh, li and ri cells that index the registry
How registry keys index their children with lf, lh, li and ri cells, the name-hash optimization, and why a parser must walk index roots recursively.
- Proof of Sysinternals use: the EulaAccepted registry trail
How Sysinternals tools like PsExec leave an EulaAccepted value in the registry, what that proves about hands-on-keyboard activity, and the caveats for investigators.
- Scheduled tasks in the registry: the RegRipper taskcache plugin
How TaskCache maps scheduled tasks to GUIDs and DynamicInfo timestamps, why the Tree-vs-Tasks split exposes hidden tasks, and how the RegRipper taskcache plugin parses it.
- Host network identity: the RegRipper tcpip and network interfaces plugins
How the SYSTEM hive stores the hostname, per-interface DHCP/static IP config, DHCP server and lease times, and how the RegRipper tcpip plugin reconstructs the host's network identity.
- System timezone and Bias: the RegRipper timezone plugin
Why TimeZoneInformation is the first key you read in any case, how Bias/ActiveTimeBias convert local time to UTC, and how the RegRipper timezone plugin parses it.
- The transactional registry: KTM and TxR explained
How the Kernel Transaction Manager gives the registry atomic multi-key commits via the transacted APIs, why it stayed niche, and how it differs from crash-recovery logs.
- TypedPaths and TypedURLs: the RegRipper typedpaths plugin
What a user typed into the Explorer and IE address bars, the parallel TypedURLsTime FILETIMEs, and how the RegRipper typedpaths/typedurls plugins parse this intent evidence.
- USB device history: the RegRipper usbstor plugin
How USBSTOR records every removable drive ever attached — vendor, serial, first/last connect — and how the RegRipper usbstor plugin parses it for USB forensics.
- The vk record: how the registry stores a value
Inside the vk value cell — name flags, data type, the inline small-data optimization, and the indirection to data cells and big-data records that hold the value.
- What is NTUSER.DAT? The per-user Windows registry hive explained
What the NTUSER.DAT file is, where it lives, how it maps to HKEY_CURRENT_USER, what forensic evidence it holds, and how to open and read it safely.
- What is the Windows Registry? A forensic investigator's primer
What the Windows Registry is, how keys, values and root keys fit together, where it lives on disk, and why it's one of the richest evidence sources in DFIR.
- What is UsrClass.dat? The per-user hive analysts forget
What the UsrClass.dat hive is, where it lives, how it maps to HKCU\Software\Classes, and why forgetting it means missing ShellBags and MUICache on modern Windows.
- Windows FILETIME timestamps, explained
What the 64-bit Windows FILETIME is, how to convert it to a date, the 1601 epoch gotcha, where it appears in the registry, and how it differs from SYSTEMTIME.
- Windows Registry Forensics Cheat Sheet
A practical Windows Registry forensics cheat sheet: the key artifacts by category — hive, registry path, and what each tells you — with deep-dives for every entry.
- A short history of the Windows Registry, and why it still matters
From scattered INI files to the binary regf hive: how the Windows Registry came to be, how it grew across decades, and why that history shapes every parser.
- Windows Registry internals: a field guide to the regf format
How the Windows Registry actually works on disk and in the kernel — the regf format, hive layout, cell types, transaction logs and the parsing surface — with deep-dives on each.
- Winlogon Shell and Userinit persistence: the RegRipper winlogon plugin
How attackers persist via the Winlogon Shell, Userinit, and Notify values, what the clean baseline looks like, and how the RegRipper winlogon plugin surfaces tampering.
- Explorer search history: the RegRipper wordwheelquery plugin
How WordWheelQuery records the terms a user typed into the Windows search box, how MRUListEx orders them, and what this reveals about user intent.
- WSL forensics: finding Linux distributions in the registry
How the Lxss registry key records installed WSL distributions and their rootfs paths, why WSL is a forensic blind spot, and how to pivot from the registry to the distro filesystem.
- Recovering deleted registry keys and surviving log replay
Unallocated cell recovery, transaction log replay, VSS diffs, and the workflow that catches the registry-edit-and-revert pattern attackers use to clean up.
- The regf hive file format, in practice
What a regf hive actually looks like on disk, why parsing it correctly is harder than people assume, and the tools that get the edges right.
- The Windows registry keys that pay back the time in DFIR
A short list of registry locations that earn their keep in incident response — what they actually tell you, where the misreads happen, and which hive to grab first.
- Persistence via Run keys and the IFEO debugger trick
Every Run/RunOnce variant worth knowing, the IFEO debugger trick, service hijacks, and a detection workflow that catches the boring patterns first.
- ShellBags forensics: the messy artifact that closes cases
What ShellBags actually record, the lazy-write problem that traps analysts, and which tools parse the structure versus which ones drop records.
- UserAssist forensics: decoding the ROT13 program-launch history
UserAssist records which programs a user launched, how many times, and when. How to decode the ROT13 value names, the GUIDs that matter, and the edge cases that mislead analysts.
- NTUSER.DAT vs SOFTWARE vs SYSTEM: which hive answers which question
A working map of which Windows registry hive holds which artifact, when each one matters, and the confusions that cost investigators time on the call.
- How this Registry Parser actually parses your hives (and why nothing gets uploaded)
The technical approach behind a client-side Windows registry hive parser: hivex compiled to WebAssembly, a pure-JS fallback, and what 'never uploaded' really means for chain of custody.
- RegRipper parity: which 143 plugins are in, what's still missing
A practitioner's look at the RegRipper plugins this parser implements (~143 across NTUSER, SOFTWARE, SYSTEM, SAM, SECURITY, USRCLASS, Amcache) and the long tail still planned.