windows registry analysis
TRANSCRIPT
WINDOWS REGISTRY Analysis
Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003, Windows7/8 store
configuration data in registry. It is a central repository for configuration data that is stored in a
hierarchical manner.System, users, applications and hardware in Windows make use of the registry
to store their configuration and it is constantly accessed for reference during their operation. The
registry is introduced to replace most text-based configuration files used in Windows 3.x and MS-
DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored
in Windows registry, the registry can be an excellent source for potential evidential data. For
instance, windows registry contains information on user accounts, typed URLs, network shared,
and Run command history. Aspects discussed in this paper are based on Windows XP (Service
Pack 2) Windows 7 and windows 8 registry.
The registry is a database in Windows that contains important information about system hardware,
installed programs and settings, and profiles of each of the user accounts on your computer.
Windows continually refers to the information in the registry.
We should not need to make manual changes to the registry because programs and applications
typically make all the necessary changes automatically. An incorrect change to your computer's
registry could render your computer inoperable. However, if a corrupt file appears in the registry,
you might be required to make changes.
We strongly recommend that you back up the registry before making any changes and that you
only change values in the registry that you understand or have been instructed to change by a
source you trust.
Five root keys exist:
HKLM: HKEY_LOCAL_MACHINE (Computer-specific data)
HKU: HKEY_USERS (User-specific data)
HKCR: HKEY_CLASSES_ROOT (application settings, file associations, class registrations for COM
objects)
» Link to HKLM\Software\Classes
HKCC: HKEY_CURRENT_CONFIG (Current hardware conf.)
» Link to HKLM\System\CurrentControlSet\Hardware Profiles\Current
HKCU: HKEY_CURRENT_USER (Current user's data)
» Link to HKU\<SID of current user>
File locations:
HKLM\SAM %SYSTEMROOT%\System32\config\SAM
HKLM\Security %SYSTEMROOT%\System32\config\SECURITY
HKLM\Software %SYSTEMROOT%\System32\config\software
HKLM\System %SYSTEMROOT%\System32\config\system
HKLM\Hardware stored in memory only – non on disk!
HKU\.Default %SYSTEMROOT%\System32\config\default
HKU\SID %USERPROFILE%\NTUSER.DAT
HKU\SID_Classes %USERPROFILE%\Local Settings\
Application Data\Microsoft\Windows\UsrClass.dat
Registry files and their typical content: NTUSER.DAT Protected storage for user, MRU lists, User’s preference settings. DEFAULT System settings set during initial install of operating system. SAM Security settings and user account management. SECURITY Security settings. SOFTWARE all installed programs on the system and their settings associated
with them. SYSTEM System settings.
REGISTRY STRUCTURE
Windows Structure Logical view key(Windows 7)
FORENSIC-RELETED REGISTRY KEYS
Time Zone Information
The TZI key is a critical reference for supporting a consistent timeline of evidence. There are certain values contained within this key that can help determine time zone and daylight savings
time (DST) information, which may be necessary in converting UTC timestamps to local time. DST does not affect UTC time, but it can play a significant role in determining local time.
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation (Windows 7)
Autorun Locations
Autorun Locations are common locations where programs or applications are launched
During the boot process. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\ Software \Microsoft\Windows\CurrentVersion\RunOnceEx (Windows XP)
HKLM\ Software \Microsoft\Windows\CurrentVersion\RunServices (Windows XP)
HKLM\ Software \Microsoft\Windows\CurrentVersion\RunServicesOnce (Windows XP)
HKCU\Software\Microsoft\windows\CurrentVersion\Run
HKCU\Software\Microsoft\windows\CurrentVersion\RunOnce
MRU Lists
MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open
dialog box and Save dialog box) (Microsoft, 2002). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not
maintained. Sub key * contains the full file path to the 10 most recently opened/savedfiles. Other sub keys in OpenSaveMRU contain far more entries related to previously opened or saved files
(including the 10 most recent ones), which are grouped accordingly to file extension. A “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in
case the user returns to them in the future. Essentially, their Function is similar to how the history and cookies act in a web browser.
XP Search Files
This key contains recent search terms using Windows default search. Sub key 5603
contains search terms for finding folders and filenames, while sub key 5604 contains search terms for finding words or phrases in a file (i.e. Windows XP) XP Search Files Software\Microsoft\Search Assistant\ACMru\5603
Internet Search Assistant Software\Microsoft\Search Assistant\ACMru\5001
Printers, Computers and People Software\Microsoft\Search Assistant\ACMru\5647
Pictures, music, and videos Software\Microsoft\Search Assistant\ACMru\5604
HKCU\Software\Microsoft\Search Assistant\ACMru\5603 (Windows XP)
Windows Start Menu – Recent Docs
This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %USERPROFILE%\Recent (My Recent Documents). The
key contains local or network files that are recently opened and only the filename in binary form is stored. It has similar grouping as the previous OpenSaveMRU key, opened files are organized according to file extension under respective sub keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf (Windows 8)
Remote Desktop Information
You log on to a remote Microsoft Windows Server 2003 Service Pack 1 (SP1)-based terminal server from a client computer that is running a Japanese. Version of Microsoft Windows
XP.The terminal server uses a Microsoft Global Input Method Editor (IME) keyboard layout. The terminal server IME keyboard layout differs from the client computer when you remotely log on
to a Windows Server 2003 Service Pack 1-based terminal serve If the imjp81.ime registry entry contains a value, the client computer sends the value to the
terminal server. However, the imjp81.ime registry entry uses a default
Value of "null." The client computer incorrectly assumes that "null" is a valid file name
Warning Serious problems might occur if you modify the registry incorrectly by using Registry
Editor or by using another method. These problems might require That you reinstall the operating system. Microsoft cannot guarantee that these problems can be
solved. Modify the registry at your own risk. To work around this problem, follow these steps on each client computer: 1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\IME Mapping Table\JPN
3. Right-click the imjp81.ime entry, and then click Modify. 4. Clear the Value data text box, and then click OK. 5. Exit Registry Editor.
HKLM\Software\Microsoft\Terminal Server Client\IME Mapping Table\JPN (Windows 7)
Run dialog box
This key maintains a list of entries (e.g. full file path or commands like cmd, regedit,
compmgmt.msc) executed using the Start>Run commands. The MRUList value maintains a list
of alphabets which refer to the respective values. The alphabets are arranged according to the
order the entries is being added. However, most recently added entry does not imply most
recently used command as suspect may have reexecuted previous commands. Windows does not
modify the key Last Write time or MRUList if there is an existing entry in the key.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Regedit - Last accessed key
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Regedit - Favorites
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
MS Paint - Recent Files
MS Paint lets you create and edit drawings and scanned photos. If you are writing text,
then it should display a toolbar, which has fonts, style and size. If it does not, then the setting has
to be changed in the registry.
For this, go to Start > Run menu, enter “regedit” and navigate to the registry path listed below. If
the sub key “\CurrentVersion\Applets\Paint\Text” is not present, create it as explained below.
Then, create a DWORD value name “ShowTextTool”, if this value does not exist. Now, right-
click and modify the value data box with “1” to enable the setting. Below figure Shows us
previous used files list.
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\RecentFileList (Windows 8)
Mapped Network Drives
The following keys contain drive map history: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Installed Application List
Each sub key in this key represent an installed program in the computer. All programs listed in Control Panel>Add/Remove Programs correspond to one of the listed sub keys. However,
they are other installed programs (e.g. device driver, Windows patch) that are not listed in Add/Remove Programs. Each sub key usually contains these two common registry values. Display
Name (program name) and Uninstall String (application Uninstall component’s file path, which indirectly refers to application installation path). Other possible useful registry values may exist, which include information on install date, install source and application version.
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
Command Processor
This key has a registry value named Auto run, which could contain command that is automatically executed each time cmd.exe is run. However, modification to this key requires
administrative privilege. Malware exploits this feature to load itself without user’s knowledge. Suspect could also covertly run a malicious program under the cover of cmd.exe, by setting the Auto run data to the executable file path.
HKCU\Software\Microsoft\Command Processor
WordPad - Recent Files
WordPad stores a list of recently accessed files in the Jump List and in the Registry under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Appets\Wordpad\Recent File List
Common Dialog – Last visited MRU
This key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is added to the previous OpenSaveMRU key, registry value is created or
updated in this key. Each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it. If a file is saved, the folder path refers to the saved file destination path; if a file is opened,
the folder path refers to the file source path. New registry value will only be created to this key, if no existing registry values contain the program executable filename. However, if there is a
matching executable filename in the existing values, only the folder path section of the related registry value is updated.
HKCU\Software\Microsoft\Windows\Curretversion\Explorer\ComDig32\LastVisitedPidMRU
Common Dialog – Open/Save MRU
MRU is the abbreviation for most-recently-used. This key maintains a list of
recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e.
Open dialog box and Save dialog box). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are
recently opened or saved files from within a web browser (including IE and Firefox) are
maintained. However, documents that are opened or saved via Microsoft Office programs are not
maintained. Sub key * contains the full file path to the 10 most recently opened/savedfiles. Other
subkeys in OpenSaveMRU contain far more entries related to previously opened or saved files
(including the 10 most recent ones), which are grouped accordingly to file extension. (i.e. .pdf
and .sys)
(.pdf files)HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDig32\
OpenSavePidMRU\pdf
(.sys files)HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDig32\
OpenSavePidMRU\sys
EXE to main window title cache
It’s useful to know what folks are running on a system, and this might give us an idea what an exe is before our run it our self.
HKCU\Software\Classes\Local setting\MuiCache\
PowerPoint - Recent Files
This Registry key store the file name and location of office power point document which are used most recently
HKCU\Software\Microsoft\Office\15.0\PowerPoint\File MRU
Word- Recent Files
This Registry key store the file name and location of Microsoft office Word document
which are used most recently.
HKCU\Software\Microsoft\Office\15.0\Word\File MRU
UserAssist
This key contains two or more subkeys, which have long hexadecimal names or globally Unique identifiers (GUIDs) and beneath each GUID is a sub key called Count. The Count
Sub key contains recorded values that pertain to objects the user has accessed on the System, such as Control Panel applets, shortcut files, programs, documents, media, etc.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Memory Management –paging
This key maintains Windows virtual memory (paging file) configuration. The paging file
(usually C:\pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown. This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns.
By default, windows will not clear the paging file. However, suspect may modify this registry value to 1 to signify paging file clearing during system shutdown (Microsoft, 2003). Forensic
investigator should check this value before shutting down a suspect computer during evidence collection process.
HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management
Existing Services This key contains list of Windows services. Each sub key represents a service and contains service’s
information such as startup configuration and executable image path. Some malware or important software such as Oracle 11g R2 will install itself as service. Thus, it leaves trace in this key
HKLM\System\CurrentControlSet\Services\
HKLM\System\CurrentControlSet\Services\Oracle11\Preference
Image File Execution Option This key allows administrator to map an executable filename to a different debugger source,
allowing user to debug a program using a different program. Modification to this key requires administrative privilege. Suspect could exploit this feature to launch a completely different program under the cover of the initial program. First, suspect creates a sub key named for example, notepad.exe (taskmgr.exe, compmgmt.msc or any benign looking executable). Then under the sub key notepad.exe, suspect creates a new string (REG_SZ) value named Debugger, and directs it to an undercover program (e.g. C:\Windows\system32\telnet.exe). When the suspect executes notepad.exe, telnet client is launched instead of Notepad. If the suspect runs notepad.exe through Windows Run for instance, its history list will only shows notepad.exe. Thus, suspect could use this technique to deceive forensic examiner. Suspect could also redirect the initial program to a Trojan version of the program which launches a backdoor whenever the initial program is run. Malware exploits this feature to load itself without user's knowledge
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Last logged on user
We know who logged in last, and may also give us a user name to attack if we are a pen-tester.
HKLM\Software\Microsoft\Microsoft\Windows NT\CurrentVersion\Winlogon
Wireless Network A wireless Ethernet card picks up wireless access points within its range, which are Identified by
their SSID or Service Set Identifier. When an individual connects to a Network or hotspot the SSID is logged within Windows XP as a preferred network Connection. HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces
This key contains wireless network information for adapter using Windows Wireless Zero Configuration
Service. Under the GUID sub key, there are binary registry values named Static#0000, Static#0001, etc. (depending
on the number of listed SSID) which correspond to the respective list of SSID in .Preferred Networks. Box in Wireless
Network Connection configuration. The registry value contains the SSID name in binary form. If registry value Active
Settings contains an SSID name, it may signify last connected SSID. However, the result is not consistent when tested.
If suspect connect to wireless networks using other 3rd party program that is usually bundled with the network adapter,
instead of using Wireless Zero Configuration, no trace is left on this key. Forensic examiner can use this key with the
previous network adapter GUID key to determine the last assigned IP address.
HKLM\Software\Microsoft\WZCSVC\Parameters\Interfaces (Windows XP)
HKLM\Software\Microsoft\Windows\Wlansvc\Interfaces (windows 7)
In addition to logging the name of the SSID, Windows also logs the network settings of that particular connection – such as the IP address, DHCP server, domain, subnet mask, Etc.
HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\
Below this key there also may be GUID subkeys, as mentioned above. It’s also important to note that there are timestamps associated with some of the values in this key. One, for example,
is LeaseObtainedTime. This is the time in which the IP address was obtained from the DHCP server. If the computer is using vendor software to manage wireless connections then there May be additional locations where this information is stored, depending on the vendor.
HKLM\System\ControlSet001\Services\Tcpip\parameters\Interfaces
LAN Computers
Windows XP implements a network mapping tool called My Network Place, which allows
computers to easily find other computers within a LAN or Local Area Network. A computer on a properly configured LAN will record the Computer Name of all the computers on that network.
Even after the computer is no longer connected to the LAN, the list of devices that have ever connected to that system still remains, including desktop computers, laptops, and printers.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
USB Devices
Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and
the device’s information is stored in the Registry (i.e., thumb drives, cameras, etc.). The following key contains subkeys that represent the device descriptor (Vendor ID, Product ID and Revision)
of any USB device that has been connected to the system. Beneath each of these device descriptors is the Device ID, which is also a serial number.
The serial numbers of these devices are a unique value assigned by the manufacturer, much like
the MAC address of a network interface card. Therefore, a particular USB device can be identified as to whether or not it has been connected to other Windows systems.
HKLM\System\ControlSet001\Enum\USBSTOR\
HKLM\System\ControlSet001\Enum\USB\
Mounted Devices
This key makes it possible to view each drive associated with the system. It stores a database of
mounted volumes that is used by the NTFS file system. HKLM\SYSTEM\MountedDevices
HKLM\System\MountedDevices
The first key contains a list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices. This key lists any volume that is mounted and
assigned a drive letter, including USB storage devices and external DVD/CDROM drives. From the listed registry values, values name. This key find user that used the unique USB device.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
This GUID will be used next to identify the user that plugged in the device. The last time the device was plugged into the machine by that user’s personal Mount point’s key in the
NTUSER.DAT Hive.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\....\Autorun\DefaultIcon
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\...\Autorun\DefaultLabel
Volume Serial Number
Discover the volume serial number of the file system partition on the USB.Here we can
knowing both the volume serial number and the volume name we can correlate the data across SHORTCUT file (LNK) analysis and the recentdocs key. The shortcut file (LNK) contains the
volume serial Number and name. RecentDocs Registry key in most cases, will contain the volume name when the “USB Device” is opened via Explorer.
HKLM\Software\Microsoft\Windows NT\Current Version\EMDMgmt
Internet Explorer
Internet Explorer stores its data in one key and has three subkeys within it that holds the
Majority of useful information.
HKCU\Software\Microsoft\Internet Explorer
The first sub key, Main, stores the user’s settings in Internet Explorer. It contains
information like search bars, start page, form settings, etc. There is a form within this key that is interesting and pertains to the next section on
Windows passwords. The form is called “Form Suggest PW Ask.” If this value is “yes,” then it is
a good indicator that they have the Windows AutoComplete password feature enabled. If the user has unchecked the box to not ever remember passwords, then this value would be “no” and would
not save the user’s passwords. These passwords are saved in the SPW (SavedPassWords) key, which is discussed in the next section.
HKCU\Software\Microsoft\ Internet Explorer\Main
This next location stores all URLs that a user has typed into the address field of the web browser.
HKCU\Software\Microsoft\ Internet Explorer\TypedURLs
If the user clears the history within the Internet Options window, it will delete the TypedURLs key entirely and it will not be recreated until a URL is typed into the address field again.
HKCU\Software\Microsoft\Internet Explorer
HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Windows Passwords
As stated above, if “Form Suggest PW Ask” within the Internet Explorer\Main key
contains a “yes” value and the user tells the system to remember the password when they are prompted, then these Internet Explorer AutoComplete passwords are stored in the following key:
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\SPW
If “Form Suggest PW Ask” contains a “yes” value and the user selects the AutoComplete option to NOT remember the password, the password is still logged in the Registry because the
OS needs to refer to it in order to know not to ask the user to remember it again. These passwords consist of Internet Explorer protected sites, MSN Explorer, AutoComplete, and Outlook
passwords. Passwords stored in either of these keys are encrypted by the Operating System. They are stored in the following key:
HKCU\Software\Microsoft\Protected Storage System Provider
MSN Messenger or Windows Live Messenger
Windows Messenger, MSN Messenger, and Windows Live Messenger (which is the new MSN) generally utilize any of the three following keys: HKEY_CURRENT_USER\Software\Microsoft\MessengerService
HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService
HKLM\Software\Microsoft\Messenger service\Session Manager\Apps\
Application Compatibility Cache
Windows application Compatibility database is used by windows to identify possible application compatibly challenged with executable. Tracks the executable file name, file size, last
modified time and in windows XP/7/8 the last update time. HKLM\System\CurrentControlSet\Control\SessionManager\AppCompatibility (Win XP)
HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatCache (Windows 7)
Any executable run on the windows system could be found in this key. We can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of
the time based data you might be able to determine the last time of execution or activity on the system.
Windows XP Contain at Most 96 entries -Last Update Time is updated when the files are executed
Windows 7 Contain at most 1024 entries -Last Update Time does not exist on Win 7 Systems
HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatCache
Shell Bags
It can track user windows viewing preferences to windows explorer. It can be utilized to tell if
activity occurred in a folder. In some cases you can see the files from a specific folder as well HKCR\Local settings\Software\Microsoft\Windows\Shell\BagMRU\
HKCR\Local settings\Software\Microsoft\Windows\Shell\Bags
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bag
HKU\S…………………….\Software\Classes\Local settings\Software\Microsoft\Windows\Shell\BagMRU
HKU\S…………………….\Software\Classes\Local settings\Software\Microsoft\Windows\Shell\Bag
Interpretation: Store information about which folders were most recently browsed by the user.
HKCR\Local settings\Software\Microsoft\Windows\Shell\BagMRU\
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
HKU\S……………….\Software\Classes\Local settings\Software\Microsoft\Windows\Shell\BagMRU
HKU\S……………….\Software\Classes\Local settings\Software\Microsoft\Windows\Shell\Bag
Network History
In it identification of networks that the computer has been connected to networks could be
wireless or wired. It also identify domain name/internet name and identify SSID, Identify Gateway MAC Address
Network Card details HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkCards
Network List HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\DefaultMediaCost (Windows 8)
HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\NewNetworks
HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\Nia
HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\Nia\Cache
HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\Nia\Wireless
HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\Profiles
HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\Signatures\Managed
HKLM\Software\Microsoft\windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged
Interpretation:
Identifying intranets and networks that a computer has connected to it is incredibly important.
Not only can we tell the intranet name, we can get last time the network was connected to base on the last
write time of the key
This will also list any networks that have been connected to via VPN
MAC Address of SSID for Gateway could be physically triangulated
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetWorkcards
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost (Windows 8)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ (Details of Wifi hotspot)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Managed
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Unmanaged
Shared file on LAN or Network
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Shares
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Shares\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
Thank you very much for your time.
Contact details:
Himanshu D. Patel