cyber-triage-logo

Windows Registry Forensics Cheat Sheet 2025

Save. This. Post. Our expert staff has compiled an up-to-date and comprehensive Windows Registry forensics cheat sheet, and it might be just what you need for your next investigation.

Jump to a section…
What Is a Windows Registry Forensics Cheat Sheet?
Core Windows Registry Hives and Their Forensic Value
Key Registry Artifacts by Forensic Purpose
Recommended Tools for Registry Analysis
Windows Forensics Investigation Tips

What Is a Windows Registry Forensics Cheat Sheet?

This document is an overview of key components of Windows Registry forensics, including:

  • Registry hives
  • Registry artifacts
  • Registry analysis tools
  • Registry forensics tips

If you’d like to us to add something to our Windows forensics cheat sheet, please contact us.

Core Windows Registry Hives and Their Forensic Value

Each Windows registry hive is a file that stores config settings and system/user data, and these are essential sources in forensic investigations.

As DFIR expert Chris Ray explains, “Windows Registry is a key source of forensic data because of its function within the system. It’s used as a repository to store system and application settings, configurations, preferences, usage telemetry, and more.”

Breakdown of each: 

NTUSER.DAT
Location 
C:Users<username>NTUSER.DAT
Loaded under 
HKEY_USERS<SID>
Forensic value Tracks user-specific settings and activity.
Contains
  • UserAssist: Tracks program execution for apps with GUI components or app/LNK files launched via the Windows UI.
  • RunMRU: Tracks program execution for commands run via Windows run dialog.
  • OpenSaveMRU: Tracks files opened/saved via Windows Open/Save dialog.
  • OfficeMRU: Tracks most recently used files for each Office app. Ex: Word, Excel, PowerPoint.
  • LastVistedMRU: Tracks applications that have used the Windows Open/Save dialog, along with last location opened for each app.
  • RecentDocs: Tracks recently accessed files and folders opened. Used to populate various “recent” tables in Windows.
  • WordWheelQuery: Tracks an ordered list of search strings put into Windows File Explorer search box.
  • TypedPaths: Tracks paths typed into File Explorer path bar directly by a user
  • ShellBags: Includes UNC path based data. Can show evidence of users opening folders.
  • MountPoints2: Tracks mounted USB and network shares.
  • User-specific installed apps: Tracks what apps have been installed for the user instead of system-wide.
  • User-specific Autorun entries: User-specific persistence in the Registry. Ex: Run/RunOnce keys.

UsrClass.dat
Location 
C:Users<username>AppDataLocalMicrosoftWindowsUsrClass.dat
Loaded under 
HKEY_USERS<SID>_Classes
Forensic value Mainly stores user-specific shell settings and mappings.
Contains
  • ShellBag: Tracks existence of folders and archive files. Includes UNC path-based data. Can show evidence of users opening folders.
  • MUICache: Tracks program execution for apps with a GUI component.

SAM (Security Account Manager)
Location 
C:WindowsSystem32ConfigSAM
Loaded under 
HKEY_LOCAL_MACHINESAM
Forensic value Contains details about local user accounts and groups.
Contains
  • Local user account information: Ex: username, SID, creation date, last logon date, etc.
  • Local groups and their members: Ex: Figure out who is a local admin.
  • Local account password hashes: Used for offline password cracking.

SYSTEM
Location 
C:WindowsSystem32ConfigSYSTEM
Loaded under 
HKEY_LOCAL_MACHINESYSTEM
Forensic value Tracks system config and USB/device usage.
Contains
  • ShimCache: Used to track app compatibility info. Can prove file existence and sometimes file execution
  • Activity Moderator (BAM/DAM): Used to track apps that run in the background or are used during various low-power usage scenarios.
  • Windows Services: Contains info on all installed Windows services, including system drivers.
  • MountedDevices: Used to map drive letters to attached devices.
  • Enum USBUSBSTOR: Used to get a list of attached USB device history: Vendor ID, product ID, serial#, first and last attached times.
  • TCP/IP Interfaces: Lists out network interface details. Ex. Assigned IP, DNS address, default gateway, and DHCP lease time.
  • System configuration details: Time zone, computer name, last shutdown time, network interfaces, and network history.

SOFTWARE
Location 
C:WindowsSystem32ConfigSOFTWARE
Loaded under 
HKEY_LOCAL_MACHINESOFTWARE
Forensic value Lists installed software, system settings, and global auto-run entries.
Contains
  • System-wide installed applications: Contains info about currently installed apps installed system-wide.
  • NetworkList: Lists connected network names along with first and last connection times.
  • Scheduled Tasks: Tracks Window Task definitions commonly used for persistence and privilege escalation.
  • Profilelist: Provides a mapping of user SIDs to profile directory location.
  • OS Information: OS version, build numbers, product name, and install date.
  • System-wide Autorun entries: Persistence in the registry. Ex: Run/RunOnce keys.

SECURITY
Location 
C:WindowsSystem32ConfigSECURITY
Loaded under 
HKEY_LOCAL_MACHINESECURITY
Forensic value Contains security policies and auditing settings. Mainly used to understand what artifacts may not be available due to poor audit policies.
Contains
  • Local audit policy config: Details the current audit settings of the system to help better understand what data may be found in the event log.
  • LSA secrets: Contains sensitive data such as cached domain credentials and service account passwords.

Amcache.hve
Location 
C:WindowsAppCompatProgramsAmcache.hve
Loaded under Not part of the Windows Registry.
Forensic value Tracks executable metadata and run history, even for deleted files.
Contains
  • Prove files existed on disk even after file deletion.
  • Provides insight into installed applications, along with how the app was installed.
  • SHA1 hash for PE files and drivers even after file deletion.
  • Stores comprehensive metadata for PE files and DLLs like file size, SHA1, and PE header info like CompanyName, FileVersion, etc.

Key Registry Artifacts by Forensic Purpose

The list below is an up-to-date reference for data artifacts in the Windows Registry.

That said, we don’t recommend investigators memorize these details: If you approach investigations data artifact first, you risk losing the forest for the trees. Instead, we suggest using higher-level computing concepts to guide your investigation: The information artifact level vs the data artifact level.

DFIR experts like Brian Carrier recommend this approach because it makes investigations both easier and more comprehensive.

Program Execution Tracking

Artifact Path Value
UserAssist 
NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
 Tracks last run time, run count, and path for apps with GUI components; values are ROT13-encoded.
ShimCache (AppCompatCache) 
SYSTEMCurrentControlSetControlSession ManagerAppCompatCache
 Can prove existence of files (even after being deleted) and in some scenarios provide high degree of confidence on execution.
AmCache 
C:WindowsAppCompatProgramsAmcache.hve
 Can prove existence of files (even after being deleted) and in some scenarios provide high degree of confidence on execution.
RunMRU 
C:WindowsAppCompatProgramsAmcache.hve
 Commands typed into Windows Run dialog.
MUICache 
HKEY_CURRENT_USERSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellMuiCache
 Full path to executable with a GUI component and limited PE header info.
BAM/DAM 
SYSTEMCurrentControlSetServices{dam|bam}StateUserSettings{SID}
 Full path to executable and last execution time.

USB and External Device History

Artifact Path Value
USBSTOR 
SYSTEMCurrentControlSetEnumUSBSTOR
 Device vendor, model, serial number, and first/last connection times.
MountedDevices 
SYSTEMMountedDevices
 Drive letter to device mapping.
MountPoints2 
NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2
 Records user-level mounted devices; can include network shares mounted.
Windows Portable Devices 
SOFTWAREMicrosoftWindows Portable Devices
 Details about connected media devices.

User Activity

Artifact Path Value
RecentDocs 
NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs
 Recently accessed files (names only not path), grouped by extension on per-user basis.
OpenSaveMRU 
NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32

OpenSavePIDlMRU

 Recently accessed files (full paths) opened/saved via Windows Open/Save dialog. Grouped by extension and recorded on per-user basis.
ShellBags 
NTUSER.DATSoftwareMicrosoftWindowsShell
UsrClass.DATLocal SettingsSoftwareMicrosoftWindowsShell
 Folders that exist on the system (even after deletion) and evidence of users opening folders in certain scenarios.
TypedPaths 
NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerTypedPaths
 Tracks typed data into Explorer search bar on per-user basis.
WordWheelQuery 
NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionExplorerWordWheelQuery
 Tracks ordered list of search queries in Explorer search dialog on per-user basis.

Network + Remote Connections

Artifact Path Value
RDP Connections MRU 
NTUSER.DATSoftwareMicrosoftTerminal Server ClientDefault
 MRU list of endpoints recently connected to via Windows RDP.
RDP Connections 
NTUSER.DATSoftwareMicrosoftTerminal Server ClientServers
 Subkeys contain hostnames of systems that have been RDP’ed to with username used. Can contain more data than the default key.
NetworkList Profiles 
SOFTWAREMicrosoftWindows NTCurrentVersionNetworkListProfiles
 Names of networks the system has connected to as well as first and last connection times.
Network Interfaces 
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParametersInterfaces
 Info on all the system’s network interfaces: IP, DNS, default gateway, and leasing info.

Persistence and Autostart

Artifact Path Value
Run/RunOnce Keys 
NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionRun

NTUSER.DATSoftwareMicrosoftWindowsCurrentVersionRunOnce

SOFTWAREMicrosoftWindowsCurrentVersionRunOnce

SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

SOFTWAREMicrosoftWindowsCurrentVersionRun
Programs autostart when users log on.
Windows Services 
SYSTEMCurrentControlSetServices
 Kernel drivers and services information. Commonly used for persistence.
Winlogon  
SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
 Alternative login shells or persistence mechanisms.
Scheduled Tasks 
HKLMSoftwareMicrosoftWindows NTCurrentVersionScheduleTaskCache
 Find persistence from scheduled tasks in the Registry.

“There are many tools out there that can be used to parse Registry data. Some are more feature-rich than others. Regardless of the tool, it’s key to understand the limitations of your tool to know when to fall back on other tools and to backup findings,” Chris Ray.

Tool Description
Registry Explorer GUI registry hive viewer with advanced search and plugin support.
RECmd Command-line tool to get data out of Registry hives.
RLA Command-line tool to replay transaction logs.
RegRipper3 Command-line tool for automated parsing of Registry hives.
Autopsy/Sleuth Kit Full forensic suites with Registry parsing support.
Cyber Triage Automates the parsing of Registry hive to pull out key forensic artifacts and applies scoring to bubble up entries of interest.

There are many other tools that can handle registry parsing aside from some of the notable ones mentioned above. The backbone of many of these tools are Registry parsing libraries that can be used to script and create new and custom parsers.

If you’d like to see a list of the various parsers and which ones are used by several popular tools check out our Guide to Registry Forensic Tools.

If you’d like to see how Cyber Triage’s automated analysis could speed up your Registry forensics, try it for free now.

Windows Forensics Investigation Tips

No Windows Registry forensics cheat sheet is complete without investigation tips.

Here are a few from our expert staff:

  • Ensure your analysis tool handles transaction logs when analyzing offline registry hives,
  • Consider looking at app (MSIX) specific registry hives for forensic data. Changes made by MSIX-based applications will only be seen by those applications. As a result, analyzing traditional registry hives (live or offline) can lead to missing data.
  • Use registry key lastwrite times in a timeline to help find other sources of potential evidence
  • Test your tools to understand their limitations. For example, regedit fails to show keys and value names if the name contains a null character. This results in subkeys being hidden from the UI. Other tools may also have similar issues.
  • Cross-reference multiple artifacts for consistency and deeper context.

Blog