A registry cheat sheet is only useful if it tells you three things at a glance: which hive, which key, and what the artifact actually proves. This one does, grouped the way an investigation thinks — execution, persistence, devices, network, accounts, user activity, system context. Every row links a full deep-dive, and you can run all of them at once against your own hives in the browser-based parser: drop a hive, every matching plugin runs, and the timeline merges the timestamped results.
Two rules before you read anything else. Resolve the system time zone first — every local timestamp below is meaningless without it. And on the SYSTEM hive, CurrentControlSet does not exist offline; resolve the control set (read as ControlSet001 etc.).
The hives, in one line
| Hive | On disk | Holds |
|---|
| NTUSER.DAT | C:\Users\<user>\NTUSER.DAT | per-user activity, persistence, devices |
| USRCLASS.DAT | …\AppData\Local\Microsoft\Windows\UsrClass.dat | ShellBags, MUICache (modern Windows) |
| SOFTWARE | %SystemRoot%\System32\config\SOFTWARE | installed software, machine persistence, networks |
| SYSTEM | %SystemRoot%\System32\config\SYSTEM | services, devices, time zone, control sets |
| SAM | %SystemRoot%\System32\config\SAM | local accounts |
| SECURITY | %SystemRoot%\System32\config\SECURITY | LSA secrets, audit policy |
| Amcache.hve | %SystemRoot%\AppCompat\Programs\Amcache.hve | file inventory + hashes |
Program execution
| Artifact | Hive | Key | What it tells you |
|---|
| UserAssist | NTUSER | …\Explorer\UserAssist | GUI launches: run count, focus time, last run |
| AppCompatCache / Shimcache | SYSTEM | …\Session Manager\AppCompatCache | path + last-modified; presence, not proof of execution |
| Amcache | Amcache.hve | Root\InventoryApplicationFile | file inventory with SHA-1 and first-seen times |
| BAM / DAM | SYSTEM | …\Services\bam\State\UserSettings\<SID> | last-run time per executable, per user |
| MUICache | USRCLASS | …\Shell\MuiCache | binaries the shell ran (friendly name; no time) |
| FeatureUsage | NTUSER | …\Explorer\FeatureUsage | taskbar app launch/switch counts |
| RecentApps | NTUSER | …\Explorer\RecentApps | per-user launch count + last-run time |
Persistence & autoruns
| Artifact | Hive | Key | What it tells you |
|---|
| Run / RunOnce | NTUSER + SOFTWARE | …\CurrentVersion\Run, RunOnce | commands run at logon/boot |
| Services | SYSTEM | …\Services\<name> | service/driver config, ImagePath, ServiceDll |
| Scheduled tasks | SOFTWARE | …\Schedule\TaskCache | tasks → GUIDs, DynamicInfo timestamps |
| Winlogon | SOFTWARE | …\Winlogon (Shell, Userinit) | logon-time execution hijacks |
| AppInit / AppCert DLLs | SOFTWARE / SYSTEM | …\Windows ; …\Session Manager\AppCertDlls | DLL-injection persistence |
| IFEO debugger | SOFTWARE | …\Image File Execution Options\<exe> | debugger-value execution hijack |
USB & devices
| Artifact | Hive | Key | What it tells you |
|---|
| USBSTOR | SYSTEM | …\Enum\USBSTOR | removable drives: vendor, serial, first/last connect |
| MountedDevices | SYSTEM | MountedDevices | drive letter ↔ volume GUID / disk signature |
| MountPoints2 | NTUSER | …\Explorer\MountPoints2 | volumes/shares per user (attribution) |
| Bluetooth | SYSTEM | …\Services\BTHPORT\Parameters\Devices | paired Bluetooth devices |
Network
| Artifact | Hive | Key | What it tells you |
|---|
| NetworkList | SOFTWARE | …\NetworkList\Profiles | networks joined, first/last connect, gateway MAC |
| TCP/IP interfaces | SYSTEM | …\Services\Tcpip\Parameters\Interfaces | per-NIC IP/DHCP, host identity |
| PuTTY / WinSCP | NTUSER | Software\SimonTatham\PuTTY, …\Martin Prikryl\WinSCP 2 | saved SSH/SFTP hosts; host keys = real connection |
Accounts
| Artifact | Hive | Key | What it tells you |
|---|
| SAM accounts | SAM | Domains\Account\Users\<RID> | local users, RIDs, login counts, flags |
| ProfileList | SOFTWARE | …\ProfileList\<SID> | SID → username/profile mapping |
| LSA secrets | SECURITY | Policy\Secrets | autologon, service-account presence (names/times) |
User activity
| Artifact | Hive | Key | What it tells you |
|---|
| RecentDocs | NTUSER | …\Explorer\RecentDocs | files opened via Explorer (MRU order) |
| Open/Save MRU | NTUSER | …\ComDlg32\OpenSavePidlMRU | files opened/saved through common dialogs |
| TypedPaths / TypedURLs | NTUSER | …\Explorer\TypedPaths ; …\Internet Explorer\TypedURLs | what the user typed into address bars |
| ShellBags | USRCLASS / NTUSER | …\Shell\BagMRU | folders browsed, incl. removable & network |
System context
| Artifact | Hive | Key | What it tells you |
|---|
| Time zone | SYSTEM | …\Control\TimeZoneInformation | the bias every other timestamp needs |
| Control sets / Select | SYSTEM | Select | which ControlSet was current |
| Installed software | SOFTWARE | …\Uninstall (+ Wow6432Node) | installed programs and install dates |
Where to go next
Want to skip the printout and just parse a hive? Drop it into Registry Parser — every artifact above is extracted in the browser, client-side, with nothing uploaded.