Windows Registry Analysis

The Windows Registry is a simple database that stores and saves Windows settings and software configurations. It holds information about system hardware, installed programs, user preferences, and other settings that help Windows and applications function properly.

1. Navigating the Windows Registry

To explore the Windows Registry, you can use:

  • Registry Editor (regedit): Open by typing regedit in the Run dialog (press Win + R to open it). This tool allows you to view and edit registry keys and values.
  • PowerShell: Use PowerShell commands to query and modify the registry. For example, you can use Get-ItemProperty to view registry values.

2. Identifying Important Registry Keys

Key Sections

  • HKEY_CLASSES_ROOT (HKCR): Contains information about file associations and COM objects. It helps Windows know which program to use to open different file types.
  • HKEY_CURRENT_USER (HKCU): Stores settings specific to the currently logged-in user, such as desktop background, application preferences, and keyboard settings.
  • HKEY_LOCAL_MACHINE (HKLM): Contains system-wide settings and configurations that apply to all users on the computer, including installed software, drivers, and security settings.
  • HKEY_USERS (HKU): Stores user-specific information for all user accounts on the system. It includes settings for users who are not currently logged in.
  • HKEY_CURRENT_CONFIG (HKCC): Contains information about the current hardware configuration, such as display settings and printer settings. It helps Windows apply the correct settings based on the hardware in use.

Example Documentation

Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Description: Stores the list of programs that automatically start when Windows boots up. You can use this to manage startup applications.

Practical PowerShell Commands

You can interact with the Windows Registry using PowerShell. Here are some useful commands:

1. Viewing a Registry Key

To view the contents of a registry key, use the following command:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

This command shows all the startup programs in the specified registry key.

2. Adding a New Value to a Registry Key

To add a new value to a registry key, use this command:

Set-ItemProperty -Path "HKCU:\Software\MyApp" -Name "NewSetting" -Value "MyValue"

This command creates a new setting called "NewSetting" with the value "MyValue" in the "MyApp" key under HKEY_CURRENT_USER.

3. Monitoring Registry Changes

To monitor changes to the registry, you can use the following command:

Register-WmiEvent -Class Win32_RegistryTreeChangeEvent -SourceIdentifier "RegistryChange" -Action { Write-Host "Registry change detected!" }

This command sets up an event that alerts you whenever a change is detected in the registry.

Running the Commands

To run these commands, open PowerShell as an administrator. You can do this by searching for "PowerShell" in the Start menu, right-clicking on it, and selecting "Run as administrator." Once PowerShell is open, you can copy and paste the commands directly into the window and press Enter.

3. Analyzing Registry Hives and Transaction Logs

Registry hives (like SYSTEM, SOFTWARE, NTUSER.DAT) hold different parts of the registry. Analyzing these hives helps you understand system and user settings. Use tools like the Windows Event Viewer or Registry Explorer to track changes and monitor activities.

Example PowerShell Command

To monitor registry changes, use this PowerShell command:

Register-WmiEvent -Class Win32_RegistryTreeChangeEvent -Action { Write-Host "Registry change detected!" }

This command sets up an event that will notify you when changes are detected in the registry.

Back to Assignments