Old Registry Hives

Overview

Evidence: Old Registry Hives Description: Dump Old Registry Hives in Upgraded Operating Systems Category: Registry Platform: Windows Short Name: hivold Is Parsed: No - Raw hive files are collected Sent to Investigation Hub: Yes Collect File(s): No

Background

When Windows is upgraded to a new version, the old Windows installation is preserved in the Windows.old folder. This includes the old registry hives from the previous Windows installation.

Old registry hives can contain valuable historical information about system configuration, user activity, and installed applications from before the upgrade.

Data Collected

Collection Method

This collector gathers old registry hives from:

• Windows.old\Windows\System32\config\* - Old system hives

• Transaction logs (.log, .log1, .log2) for each old hive

• Old backup copies from Windows.old\Windows\System32\config\RegBack

The old hives are collected alongside current hives by the Registry collector.

Usage

Old registry hives provide historical system state from before a Windows upgrade. Investigators use this data to analyze pre-upgrade system configuration, recover deleted artifacts from before upgrade, compare current vs previous configuration, track changes across Windows upgrades, and investigate incidents that occurred before the upgrade.

Known Limitations

• Only present if Windows has been upgraded

• Windows.old folder may be deleted by users

• Disk cleanup can remove Windows.old

• Not all systems have been upgraded

Notes

Old hives are marked with ".old" suffix in the evidence to distinguish them from current hives. They represent the system state before the most recent Windows upgrade.