Back to binalyze.com

Registry Hives

Overview

Evidence: Registry Hives Description: Dump Registry Hives Category: Registry Platform: Windows Short Name: hiv Is Parsed: No - Raw hive files are collected Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows Registry is a hierarchical database that stores configuration settings and options for the operating system, hardware, installed applications, and user preferences. The registry is stored in several files called hives, each containing a specific branch of the registry tree.

Registry hives are critical system files that Windows loads at boot time and keeps open while the system is running. Each hive file may have associated transaction log files (.log, .log1, .log2) that help maintain consistency during registry writes.

Data Collected

Field
Description
Example

RegPath

Registry path being collected

\REGISTRY\MACHINE\SYSTEM

FilePath

Relative path in the evidence package

Registry/SYSTEM

FileSize

Size of the hive file in bytes

12582912

FileModified

Last modified timestamp

2023-10-15T14:30:00

FileAccessed

Last accessed timestamp

2023-10-15T15:45:00

FileCreated

Creation timestamp

2023-10-01T10:00:00

Hash

Hash of the hive file

SHA256:a1b2c3...

Collection Method

This collector gathers registry hive files from multiple locations:

  • Active hives from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

  • User hives: Users\*\ntuser.dat

  • User class hives: Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat

  • Default user hive: Windows\System32\config\default

  • Transaction logs (.log, .log1, .log2) for each hive

  • Backup copies from Windows\System32\config\RegBack

The registry is flushed before collection to ensure all data is written to disk.

Note: For old registry hives from Windows.old, see Old Registry Hives.

Usage

Registry hives are essential for forensic investigations as they contain vast amounts of system and user activity data. This evidence helps investigators reconstruct system configuration, user behavior, installed applications, network connections, USB device history, recent file access, and persistence mechanisms. Analysts can use registry analysis to identify malware persistence, user activity patterns, application usage, system modifications, and attacker tradecraft.

Known Limitations

  • Registry hives may be locked by the system

  • Some hives require elevated privileges to access

  • Transaction logs may not always be present

  • Backup copies may be outdated or disabled on some systems

Notes

Always collect both the primary hive files and their transaction logs (.log, .log1, .log2) for complete analysis. The transaction logs can contain uncommitted changes and provide additional forensic value.

PreviousRecycle Bin InformationNextRegistry Items

Last updated

Was this helpful?