مسارات مهمة في (Registry) للتحليل الجنائي الرقمي - part (3)

[H4x0r]

Important Registry Paths for Forensic Analysis​

No.	Registry Path	Description
1	HKLM\SYSTEM\CurrentControlSet\Control\ComputerName	Computer name
2	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	Installed software
3	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents
4	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU	Recently opened/saved files
5	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU	Run history
6	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters	Network configuration
7	HKCU\Software\Microsoft\Internet Explorer\TypedURLs	Typed URLs in Internet Explorer
8	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Internet settings
9	HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings	Recently executed programs
10	HKCU\Software\Microsoft\Office	Microsoft Office usage
11	HKLM\SYSTEM\CurrentControlSet\Enum\USB	USB device history
12	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2	Mounted devices
13	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Winlogon settings
14	HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation	Time zone information
15	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist	UserAssist data
16	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList	User profile paths
17	HKCU\Control Panel\Desktop	Desktop settings
18	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	User-specific folders
19	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy	Group policy settings
20	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management	Memory management settings
21	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	Windows folder paths
22	HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	User-specific policies
23	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles	Network profiles
24	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	File extension actions
25	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	System drivers
26	HKCU\Software\Microsoft\Search Assistant\ACMru	Search Assistant history
27	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger settings
28	HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit	Last key viewed in Regedit
29	HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot	Safe boot options
30	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU	Folder settings
31	HKCU\Software\Microsoft\Terminal Server Client	Remote desktop connections
32	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib	Performance library
33	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Explorer advanced settings
34	HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers	Configured printers
35	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem	Messaging settings
36	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons	Hidden desktop icons
37	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix	Installed hotfixes
38	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers	Wallpaper history
39	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt	External device management
40	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability	System reliability data
41	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects	Visual effects settings
42	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization	Virtualization settings
43	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	Explorer CLSID data
44	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsUpdate	Windows Update settings
45	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify	Tray notifications
46	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW	Windows on Windows settings
47	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage	Start page settings
48	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE	Windows Preinstallation Environment
49	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband	Taskbar settings
50	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileGuid	User profile GUIDs
51	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions	Shell extensions
52	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo	Session information
53	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices	Multimedia devices
54	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	Discardable post-setup data
55	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI	Logon UI settings
56	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2	Start page settings (alternate)
57	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	Windows Remote Management
58	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	Menu order settings
59	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	Uninstalled software
60	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU	Stream MRU
61	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	Browser Helper Objects (BHOs)
62	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	Shared task scheduler
63	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks	Shell execute hooks
64	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState	Shell state
65	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers	Shell icon overlay identifiers
66	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents (alternate)
67	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Namespace	My Computer namespace
68	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel	Hidden desktop icons in new start panel
69	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons	Drive icons
70	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU	Last visited MRU
71	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	Recycle bin settings
72	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Advanced explorer settings
73	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	Shared task scheduler (alternate)
74	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Shell folders
75	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	System shell folders
76	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents (alternate)
77	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	System recent documents
78	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Namespace	User-specific My Computer namespace
79	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu	Hidden desktop icons in classic start menu
80	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu	User-specific hidden desktop icons in classic start menu
81	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Namespace	Control Panel namespace
82	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Namespace	User-specific Control Panel namespace
83	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel	Control Panel settings
84	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	CLSID data
85	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	System CLSID data
86	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Advanced explorer settings (alternate)
87	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced	System advanced explorer settings
88	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer	User-specific explorer settings
89	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	System explorer settings
90	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	Internet security zones
91	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	System internet security zones
92	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	Internet zone map
93	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	System internet zone map
94	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	Internet zone map domains
95	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	System internet zone map domains
96	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	Internet zone map ranges
97	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	System internet zone map ranges
98	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	Internet protocol defaults
99	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	System internet protocol defaults
100	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Internet connections settings

Important Registry Paths for Offensive Security and Red Teaming​

No.	Registry Path	Description
1	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Programs that run on system startup
2	HKCU\Software\Microsoft\Windows\CurrentVersion\Run	Programs that run on user login
3	HKLM\SYSTEM\CurrentControlSet\Services	System services
4	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Winlogon process customization
5	HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	User-specific startup programs
6	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	System-wide startup programs
7	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Debugger settings for executables
8	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delayed loading of shell extensions
9	HKCU\Software\Microsoft\Office\<version>\Outlook\Security	Outlook security settings
10	HKLM\SYSTEM\CurrentControlSet\Control\Lsa	Local Security Authority settings
11	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	Installed software
12	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2	Mounted devices
13	HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot	Safe boot options
14	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU	Folder settings
15	HKCU\Software\Microsoft\Terminal Server Client	Remote desktop connections
16	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib	Performance library
17	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32	System drivers
18	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug	Debugger settings
19	HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit	Last key viewed in Regedit
20	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	Browser Helper Objects (BHOs)
21	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks	Shell execute hooks
22	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers	Shell icon overlay identifiers
23	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Namespace	My Computer namespace
24	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons	Drive icons
25	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	Recycle bin settings
26	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	Shared task scheduler
27	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	System shell folders
28	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	System recent documents
29	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu	Hidden desktop icons in classic start menu
30	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Namespace	Control Panel namespace
31	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel	Control Panel settings
32	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	System CLSID data
33	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced	System advanced explorer settings
34	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	System explorer settings
35	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	System internet security zones
36	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	System internet zone map
37	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	System internet zone map domains
38	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	System internet zone map ranges
39	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	System internet protocol defaults
40	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Internet connections settings
41	HKLM\SYSTEM\CurrentControlSet\Control\ComputerName	Computer name
42	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU	Recently opened/saved files
43	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU	Run history
44	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters	Network configuration
45	HKCU\Software\Microsoft\Internet Explorer\TypedURLs	Typed URLs in Internet Explorer
46	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Internet settings
47	HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings	Recently executed programs
48	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents
49	HKLM\SYSTEM\CurrentControlSet\Enum\USB	USB device history
50	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList	User profile paths
51	HKCU\Control Panel\Desktop	Desktop settings
52	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	User-specific folders
53	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy	Group policy settings
54	HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management	Memory management settings
55	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	Windows folder paths
56	HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	User-specific policies
57	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles	Network profiles
58	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	File extension actions
59	HKCU\Software\Microsoft\Search Assistant\ACMru	Search Assistant history
60	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState	Shell state
61	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents (alternate)
62	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel	Hidden desktop icons in new start panel
63	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU	Last visited MRU
64	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Advanced explorer settings
65	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Shell folders
66	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents (alternate)
67	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Namespace	User-specific My Computer namespace
68	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu	User-specific hidden desktop icons in classic start menu
69	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Namespace	User-specific Control Panel namespace
70	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	CLSID data
71	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Advanced explorer settings (alternate)
72	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer	User-specific explorer settings
73	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	Internet security zones
74	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	Internet zone map
75	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	Internet zone map domains
76	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	Internet zone map ranges
77	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	Internet protocol defaults
78	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions	Shell extensions
79	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo	Session information
80	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices	Multimedia devices
81	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	Discardable post-setup data
82	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI	Logon UI settings
83	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2	Start page settings (alternate)
84	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	Windows Remote Management
85	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	Menu order settings
86	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU	Stream MRU
87	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	Shared task scheduler
88	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState	Shell state
89	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents (alternate)
90	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel	Hidden desktop icons in new start panel
91	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU	Last visited MRU
92	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Advanced explorer settings
93	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Shell folders
94	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	Recent documents (alternate)
95	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Namespace	User-specific My Computer namespace
96	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu	User-specific hidden desktop icons in classic start menu
97	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\Namespace	User-specific Control Panel namespace
98	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	CLSID data
99	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Advanced explorer settings (alternate)
100	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer