Old Registry Hives
Overview
Section titled “Overview”Evidence: Old Registry Hives
Description: Dump old registry hives in upgraded operating systems
Category: System
Platform: windows
Short Name: hivold
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”When Windows is upgraded to a new version, the old Windows installation is preserved in the Windows.old folder. This includes the old registry hives from the previous Windows installation.
Old registry hives can contain valuable historical information about system configuration, user activity, and installed applications from before the upgrade.
Data Collected
Section titled “Data Collected”This collector gathers structured data about old registry hives.
Old Registry Hives Data
Section titled “Old Registry Hives Data”| Field | Description | Example |
|---|---|---|
RegPath | Registry path | \REGISTRY\MACHINE\SYSTEM |
FilePath | Relative path in evidence | Registry/SYSTEM.old |
FileSize | Size of the hive file in bytes | 12582912 |
FileModified | Last modified timestamp | 2023-10-15T14:30:00 |
FileAccessed | Last accessed timestamp | 2023-10-15T15:45:00 |
FileCreated | Creation timestamp | 2023-10-01T10:00:00 |
Hash | Hash of the hive file | SHA256:a1b2c3… |
Collection Method
Section titled “Collection Method”This collector gathers old registry hives from:
Windows.old\Windows\System32\config\*- Old system hives- Transaction logs (.log, .log1, .log2) for each old hive
- Old backup copies from
Windows.old\Windows\System32\config\RegBack
The old hives are collected alongside current hives by the Registry collector.
Forensic Value
Section titled “Forensic Value”Old registry hives provide historical system state from before a Windows upgrade. Investigators use this data to analyze pre-upgrade system configuration, recover deleted artifacts from before upgrade, compare current vs previous configuration, track changes across Windows upgrades, and investigate incidents that occurred before the upgrade.