Registry Hives

Overview

Evidence: Registry Hives Description: Dump registry hives Category: System Platform: windows Short Name: hiv Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Windows Registry is a hierarchical database that stores configuration settings and options for the operating system, hardware, installed applications, and user preferences. The registry is stored in several files called hives, each containing a specific branch of the registry tree.

Registry hives are critical system files that Windows loads at boot time and keeps open while the system is running. Each hive file may have associated transaction log files (.log, .log1, .log2) that help maintain consistency during registry writes.

Data Collected

This collector gathers structured data about registry hives.

Registry Hives Data

Collection Method

This collector gathers registry hive files from multiple locations:

• Active hives from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

• User hives: Users\*\ntuser.dat

• User class hives: Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat

• Default user hive: Windows\System32\config\default

• Transaction logs (.log, .log1, .log2) for each hive

• Backup copies from Windows\System32\config\RegBack

The registry is flushed before collection to ensure all data is written to disk.

Note: For old registry hives from Windows.old, see Old Registry Hives.

Forensic Value

Registry hives are essential for forensic investigations as they contain vast amounts of system and user activity data. This evidence helps investigators reconstruct system configuration, user behavior, installed applications, network connections, USB device history, recent file access, and persistence mechanisms. Analysts can use registry analysis to identify malware persistence, user activity patterns, application usage, system modifications, and attacker tradecraft.