cyber-triage-logo

Windows Registry Forensics Cheat Sheet 2025

Save. This. Post. Our expert staff has compiled an up-to-date and comprehensive Windows Registry forensics cheat sheet, and it might be just what you need for your next investigation.

Jump to a section…
What Is a Windows Registry Forensics Cheat Sheet?
Core Windows Registry Hives and Their Forensic Value
Key Registry Artifacts by Forensic Purpose
Recommended Tools for Registry Analysis
Windows Forensics Investigation Tips

What Is a Windows Registry Forensics Cheat Sheet?

This document is an overview of key components of Windows Registry forensics, including:

  • Registry hives
  • Registry artifacts
  • Registry analysis tools
  • Registry forensics tips

If you’d like to us to add something to our Windows forensics cheat sheet, please contact us.

Core Windows Registry Hives and Their Forensic Value

Each Windows registry hive is a file that stores config settings and system/user data, and these are essential sources in forensic investigations.

As DFIR expert Chris Ray explains, “Windows Registry is a key source of forensic data because of its function within the system. It’s used as a repository to store system and application settings, configurations, preferences, usage telemetry, and more.”

Breakdown of each: 

NTUSER.DAT

Location

 
C:\Users\<username>\NTUSER.DAT

Loaded under

 
HKEY_USERS\<SID>

Forensic value

Tracks user-specific settings and activity.

Contains
  • UserAssist: Tracks program execution for apps with GUI components or app/LNK files launched via the Windows UI.
  • RunMRU: Tracks program execution for commands run via Windows run dialog.
  • OpenSaveMRU: Tracks files opened/saved via Windows Open/Save dialog.
  • OfficeMRU: Tracks most recently used files for each Office app. Ex: Word, Excel, PowerPoint.
  • LastVistedMRU: Tracks applications that have used the Windows Open/Save dialog, along with last location opened for each app.
  • RecentDocs: Tracks recently accessed files and folders opened. Used to populate various “recent” tables in Windows.
  • WordWheelQuery: Tracks an ordered list of search strings put into Windows File Explorer search box.
  • TypedPaths: Tracks paths typed into File Explorer path bar directly by a user
  • ShellBags: Includes UNC path based data. Can show evidence of users opening folders.
  • MountPoints2: Tracks mounted USB and network shares.
  • User-specific installed apps: Tracks what apps have been installed for the user instead of system-wide.
  • User-specific Autorun entries: User-specific persistence in the Registry. Ex: Run/RunOnce keys.

UsrClass.dat

Location

 
C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Loaded under

 
HKEY_USERS\<SID>_Classes

Forensic value

Mainly stores user-specific shell settings and mappings.

Contains
  • ShellBag: Tracks existence of folders and archive files. Includes UNC path-based data. Can show evidence of users opening folders.
  • MUICache: Tracks program execution for apps with a GUI component.

SAM (Security Account Manager)

Location

 
C:\Windows\System32\Config\SAM

Loaded under

 
HKEY_LOCAL_MACHINE\SAM

Forensic value

Contains details about local user accounts and groups.

Contains
  • Local user account information: Ex: username, SID, creation date, last logon date, etc.
  • Local groups and their members: Ex: Figure out who is a local admin.
  • Local account password hashes: Used for offline password cracking.

SYSTEM

Location

 
C:\Windows\System32\Config\SYSTEM

Loaded under

 
HKEY_LOCAL_MACHINE\SYSTEM

Forensic value

Tracks system config and USB/device usage.

Contains
  • ShimCache: Used to track app compatibility info. Can prove file existence and sometimes file execution
  • Activity Moderator (BAM/DAM): Used to track apps that run in the background or are used during various low-power usage scenarios.
  • Windows Services: Contains info on all installed Windows services, including system drivers.
  • MountedDevices: Used to map drive letters to attached devices.
  • Enum USB\USBSTOR: Used to get a list of attached USB device history: Vendor ID, product ID, serial#, first and last attached times.
  • TCP/IP Interfaces: Lists out network interface details. Ex. Assigned IP, DNS address, default gateway, and DHCP lease time.
  • System configuration details: Time zone, computer name, last shutdown time, network interfaces, and network history.

SOFTWARE

Location

 
C:\Windows\System32\Config\SOFTWARE

Loaded under

 
HKEY_LOCAL_MACHINE\SOFTWARE

Forensic value

Lists installed software, system settings, and global auto-run entries.

Contains
  • System-wide installed applications: Contains info about currently installed apps installed system-wide.
  • NetworkList: Lists connected network names along with first and last connection times.
  • Scheduled Tasks: Tracks Window Task definitions commonly used for persistence and privilege escalation.
  • Profilelist: Provides a mapping of user SIDs to profile directory location.
  • OS Information: OS version, build numbers, product name, and install date.
  • System-wide Autorun entries: Persistence in the registry. Ex: Run/RunOnce keys.

SECURITY

Location

 
C:\Windows\System32\Config\SECURITY

Loaded under

 
HKEY_LOCAL_MACHINE\SECURITY

Forensic value

Contains security policies and auditing settings. Mainly used to understand what artifacts may not be available due to poor audit policies.

Contains
  • Local audit policy config: Details the current audit settings of the system to help better understand what data may be found in the event log.
  • LSA secrets: Contains sensitive data such as cached domain credentials and service account passwords.

Amcache.hve

Location

 
C:\Windows\AppCompat\Programs\Amcache.hve

Loaded under

Not part of the Windows Registry.

Forensic value

Tracks executable metadata and run history, even for deleted files.

Contains
  • Prove files existed on disk even after file deletion.
  • Provides insight into installed applications, along with how the app was installed.
  • SHA1 hash for PE files and drivers even after file deletion.
  • Stores comprehensive metadata for PE files and DLLs like file size, SHA1, and PE header info like CompanyName, FileVersion, etc.

Key Registry Artifacts by Forensic Purpose

The list below is an up-to-date reference for data artifacts in the Windows Registry.

That said, we don’t recommend investigators memorize these details: If you approach investigations data artifact first, you risk losing the forest for the trees. Instead, we suggest using higher-level computing concepts to guide your investigation: The information artifact level vs the data artifact level.

DFIR experts like Brian Carrier recommend this approach because it makes investigations both easier and more comprehensive.

Artifact

Path

Value

UserAssist

 
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Tracks last run time, run count, and path for apps with GUI components; values are ROT13-encoded.

ShimCache (AppCompatCache)

 
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Can prove existence of files (even after being deleted) and in some scenarios provide high degree of confidence on execution.

AmCache

 
C:\Windows\AppCompat\Programs\Amcache.hve

Can prove existence of files (even after being deleted) and in some scenarios provide high degree of confidence on execution.

RunMRU

 
C:\Windows\AppCompat\Programs\Amcache.hve

Commands typed into Windows Run dialog.

MUICache

 
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Full path to executable with a GUI component and limited PE header info.

BAM/DAM

 
SYSTEM\CurrentControlSet\Services\{dam|bam}\State\UserSettings\{SID}

Full path to executable and last execution time.

Program Execution TrackingUSB and External Device History

Artifact

Path

Value

USBSTOR

 
SYSTEM\CurrentControlSet\Enum\USBSTOR

Device vendor, model, serial number, and first/last connection times.

MountedDevices

 
SYSTEM\MountedDevices

Drive letter to device mapping.

MountPoints2

 
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Records user-level mounted devices; can include network shares mounted.

Windows Portable Devices

 
SOFTWARE\Microsoft\Windows Portable Devices

Details about connected media devices.

User Activity

Artifact

Path

Value

RecentDocs

 
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Recently accessed files (names only not path), grouped by extension on per-user basis.

OpenSaveMRU

 
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\

OpenSavePIDlMRU

Recently accessed files (full paths) opened/saved via Windows Open/Save dialog. Grouped by extension and recorded on per-user basis.

ShellBags

 
NTUSER.DAT\Software\Microsoft\Windows\Shell
UsrClass.DAT\Local Settings\Software\Microsoft\Windows\Shell

Folders that exist on the system (even after deletion) and evidence of users opening folders in certain scenarios.

TypedPaths

 
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Tracks typed data into Explorer search bar on per-user basis.

WordWheelQuery

 
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Tracks ordered list of search queries in Explorer search dialog on per-user basis.

Network + Remote Connections

Artifact

Path

Value

RDP Connections MRU

 
NTUSER.DAT\Software\Microsoft\Terminal Server Client\Default

MRU list of endpoints recently connected to via Windows RDP.

RDP Connections

 
NTUSER.DAT\Software\Microsoft\Terminal Server Client\Servers

Subkeys contain hostnames of systems that have been RDP’ed to with username used. Can contain more data than the default key.

NetworkList Profiles

 
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Names of networks the system has connected to as well as first and last connection times.

Network Interfaces

 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\

Info on all the system’s network interfaces: IP, DNS, default gateway, and leasing info.

Persistence and Autostart

Artifact

Path

Value

Run/RunOnce Keys

 
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Programs autostart when users log on.

Windows Services

 
SYSTEM\CurrentControlSet\Services

Kernel drivers and services information. Commonly used for persistence.

Winlogon 

 
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Alternative login shells or persistence mechanisms.

Scheduled Tasks

 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

Find persistence from scheduled tasks in the Registry.

“There are many tools out there that can be used to parse Registry data. Some are more feature-rich than others. Regardless of the tool, it’s key to understand the limitations of your tool to know when to fall back on other tools and to backup findings,” Chris Ray.

Tool

Description

Registry Explorer

GUI registry hive viewer with advanced search and plugin support.

RECmd

Command-line tool to get data out of Registry hives.

RLA

Command-line tool to replay transaction logs.

RegRipper3

Command-line tool for automated parsing of Registry hives.

Autopsy/Sleuth Kit

Full forensic suites with Registry parsing support.

Cyber Triage

Automates the parsing of Registry hive to pull out key forensic artifacts and applies scoring to bubble up entries of interest.

There are many other tools that can handle registry parsing aside from some of the notable ones mentioned above. The backbone of many of these tools are Registry parsing libraries that can be used to script and create new and custom parsers.

If you’d like to see a list of the various parsers and which ones are used by several popular tools check out our Guide to Registry Forensic Tools.

If you’d like to see how Cyber Triage’s automated analysis could speed up your Registry forensics, try it for free now.

Windows Forensics Investigation Tips

 No Windows Registry forensics cheat sheet is complete without investigation tips.

Here are a few from our expert staff:

  • Ensure your analysis tool handles transaction logs when analyzing offline registry hives,
  • Consider looking at app (MSIX) specific registry hives for forensic data. Changes made by MSIX-based applications will only be seen by those applications. As a result, analyzing traditional registry hives (live or offline) can lead to missing data.
  • Use registry key lastwrite times in a timeline to help find other sources of potential evidence
  • Test your tools to understand their limitations. For example, regedit fails to show keys and value names if the name contains a null character. This results in subkeys being hidden from the UI. Other tools may also have similar issues.
  • Cross-reference multiple artifacts for consistency and deeper context.

Blog