Windows Registry Analysis Β· Hive-Level Forensics

Windows Registry Forensics: Hive Analysis and User Attribution

Independent registry forensics on Windows 10, 11, and Server. We analyze every relevant hive β€” SYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT, UsrClass.dat β€” to reconstruct user activity, installed software, USB history, network connections, and program execution.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. The Windows registry is a hierarchical binary database that stores operating system configuration and per-user activity. Registry forensics parses each hive from its on-disk file (C:\Windows\System32\config\ for SYSTEM/SOFTWARE/SAM/SECURITY, C:\Users\<name>\NTUSER.DAT, and C:\Users\<name>\AppData\Local\Microsoft\Windows\UsrClass.dat), reads each key’s LastWrite timestamp, decodes typed values (REG_SZ, REG_BINARY, REG_DWORD, REG_QWORD), and reconstructs auto-run persistence, recently used files, USB device history, network profiles, typed URLs, mapped drives, ShellBag folder access, and program execution counters.

Registry hives and what they answer

Hive / fileLocationWhat it establishes
SYSTEM\System32\config\SYSTEMComputerName, CurrentControlSet, USBSTOR, MountedDevices, network interfaces, services
SOFTWARE\System32\config\SOFTWAREInstalled applications, Windows install date, Run/RunOnce, network profiles, default browser
SAM\System32\config\SAMLocal user accounts, RID, last logon, logon count, password change date, group memberships
SECURITY\System32\config\SECURITYLSA policy, cached secrets, audit policy
NTUSER.DATC:\Users\\NTUSER.DATPer-user UserAssist, RecentDocs, TypedPaths, RunMRU, Office MRU, network drives
UsrClass.datC:\Users\\AppData\Local\Microsoft\Windows\ShellBags (folder-view history), Windows 10/11 activity, Photos/Explorer state
Amcache.hve\Windows\AppCompat\Programs\Executed / present binaries with SHA-1, first-executed timestamp (see program execution page)

UserAssist and RecentDocs: what the user actually opened

UserAssist lives under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count. Each value name is ROT13-encoded and stores an execution count plus a FILETIME of the last run. GUID CEBFF5CD is executables launched via Explorer; F4E57C4B is shortcut launches. UserAssist is per-user and per-session, so it directly attributes execution to a specific human account.

RecentDocs under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs lists recently opened files by extension subkey and MRU order. Combined with LNK files in Recent\, RecentDocs proves that the user (not the system) opened a specific document.

ShellBags: proof a user browsed a folder

ShellBags live in UsrClass.dat under Local Settings\Software\Microsoft\Windows\Shell\Bags and BagMRU. Every time a user opens a folder in Explorer, Windows records its path, view type, and column layout. This survives even after the folder or its contents are deleted, and even for removable media that is no longer connected.

ShellBags is one of the strongest artifacts for “the user knew this folder existed and browsed into it” β€” decisive in trade-secret, evidence-tampering, and possession-based matters.

USB, mounted volumes, and drive letters (SYSTEM hive)

  • SYSTEM\CurrentControlSet\Enum\USBSTOR β€” vendor, product, revision, and unique serial for each USB storage device.
  • SYSTEM\CurrentControlSet\Enum\USB β€” the broader USB enumeration including phones (MTP), cameras, and non-storage devices.
  • SYSTEM\MountedDevices β€” maps drive letters and volume GUIDs to device signatures.
  • SOFTWARE\Microsoft\Windows Portable Devices\Devices β€” friendly name of the device as Windows displayed it.
  • Per-user NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ties the volume GUID to a specific human account β€” the key attribution step in USB exfiltration cases.

See the USB Device Forensics page for the end-to-end analysis flow.

Persistence keys reviewed in every intrusion matter

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run / RunOnce (all-user)
  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run (per-user)
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon β€” Shell, Userinit, Notify
  • SYSTEM\CurrentControlSet\Services β€” service persistence, ImagePath tampering
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • AppInit_DLLs, IFEO (Image File Execution Options) debugger hijacks

Transaction logs and hive integrity

Every hive has companion .LOG1 / .LOG2 transaction logs that must be replayed against the primary hive before analysis. Skipping this step produces stale keys and missed values. Our workflow applies transaction logs, computes a fresh hash, and preserves the original hive plus logs as evidence exhibits.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Does the registry prove a specific user did something?

Yes. NTUSER.DAT and UsrClass.dat are per-profile files loaded when that user logs in, so their contents attribute the recorded activity to that user account. This is why UserAssist, ShellBags, and MountPoints2 carry so much weight.

Are LastWrite timestamps reliable?

Yes, when interpreted correctly. LastWrite is set on the parent key, not individual values, so we anchor a specific value’s write time using surrounding artifacts (event logs, Prefetch, USN journal).

Can registry data be recovered after CCleaner or a similar tool?

Often yes. Older hive states are recoverable from Volume Shadow Copies, System Restore points, and hive transaction logs. Memory captures also contain live registry data.

What about the Windows 11 registry differences?

Windows 11 introduces additional keys (Recall/CoPilot on newer builds, packaged app state under UsrClass.dat), retains the same hive model, and continues to store UserAssist, ShellBags, MountPoints2, USBSTOR, and Run keys.

Ready to move on your windows registry matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Microsoft: Registry hive files. learn.microsoft.com
  2. Microsoft: Registry structure. learn.microsoft.com
  3. SANS: Windows Forensic Analysis Poster. www.sans.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#RegistryForensics #NTUSER #Shellbags #UserAssist #WindowsForensics #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder