Registry Hives
Overview
Section titled “Overview”Evidence: Registry Hives
Description: Dump registry hives
Category: System
Platform: windows
Short Name: hiv
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The Windows Registry is a hierarchical database that stores configuration settings and options for the operating system, hardware, installed applications, and user preferences. The registry is stored in several files called hives, each containing a specific branch of the registry tree.
Registry hives are critical system files that Windows loads at boot time and keeps open while the system is running. Each hive file may have associated transaction log files (.log, .log1, .log2) that help maintain consistency during registry writes.
Data Collected
Section titled “Data Collected”This collector gathers structured data about registry hives.
Registry Hives Data
Section titled “Registry Hives Data”| Field | Description | Example |
|---|---|---|
RegPath | Registry path being collected | \REGISTRY\MACHINE\SYSTEM |
FilePath | Relative path in the evidence package | Registry/SYSTEM |
FileSize | Size of the hive file in bytes | 12582912 |
FileModified | Last modified timestamp | 2023-10-15T14:30:00 |
FileAccessed | Last accessed timestamp | 2023-10-15T15:45:00 |
FileCreated | Creation timestamp | 2023-10-01T10:00:00 |
Hash | Hash of the hive file | SHA256:a1b2c3… |
Collection Method
Section titled “Collection Method”This collector gathers registry hive files from multiple locations:
- Active hives from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist - User hives:
Users\*\ntuser.dat - User class hives:
Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat - Default user hive:
Windows\System32\config\default - Transaction logs (.log, .log1, .log2) for each hive
- Backup copies from
Windows\System32\config\RegBack
The registry is flushed before collection to ensure all data is written to disk.
Note: For old registry hives from Windows.old, see Old Registry Hives.
Forensic Value
Section titled “Forensic Value”Registry hives are essential for forensic investigations as they contain vast amounts of system and user activity data. This evidence helps investigators reconstruct system configuration, user behavior, installed applications, network connections, USB device history, recent file access, and persistence mechanisms. Analysts can use registry analysis to identify malware persistence, user activity patterns, application usage, system modifications, and attacker tradecraft.