Old Registry Hives

Overview

Evidence: Old Registry Hives Description: Dump old registry hives in upgraded operating systems Category: System Platform: windows Short Name: hivold Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

When Windows is upgraded to a new version, the old Windows installation is preserved in the Windows.old folder. This includes the old registry hives from the previous Windows installation.

Old registry hives can contain valuable historical information about system configuration, user activity, and installed applications from before the upgrade.

Data Collected

This collector gathers structured data about old registry hives.

Old Registry Hives Data

Field

Description

Example

RegPath

Registry path

\REGISTRY\MACHINE\SYSTEM

FilePath

Relative path in evidence

Registry/SYSTEM.old

FileSize

Size of the hive file in bytes

12582912

FileModified

Last modified timestamp

2023-10-15T14:30:00

FileAccessed

Last accessed timestamp

2023-10-15T15:45:00

FileCreated

Creation timestamp

2023-10-01T10:00:00

Hash

Hash of the hive file

SHA256:a1b2c3...

Collection Method

This collector gathers old registry hives from:

Windows.old\Windows\System32\config\* - Old system hives
Transaction logs (.log, .log1, .log2) for each old hive
Old backup copies from Windows.old\Windows\System32\config\RegBack

The old hives are collected alongside current hives by the Registry collector.

Forensic Value

Old registry hives provide historical system state from before a Windows upgrade. Investigators use this data to analyze pre-upgrade system configuration, recover deleted artifacts from before upgrade, compare current vs previous configuration, track changes across Windows upgrades, and investigate incidents that occurred before the upgrade.

PreviousOfficeMRU NextOneDrive Logs

Last updated 3 days ago

Was this helpful?