Registry Quick Find Chart 9 27 10

2014-07-09

: Pdf Registry Quick Find Chart 9-27-10 Registry_Quick_Find_Chart_9-27-10

Open the PDF directly: View PDF .
Page Count: 33

Download
Open PDF In Browser	View PDF

CCESSDATA SUPPLEMENTAL APPENDIX

Registry Quick Find Chart
Important: At the time of this writing, most of the information contained
in this paper is not published by Microsoft and is based on
personal research. As such, please consider validating these
results prior to relying on them as the basis for any conclusions.
Please keep in mind that, as with all Windows artifact behavior,
the information contained in this paper is subject to change at
any time. In addition to the conditions stated below, there may
be additional user actions that may contribute to these entries.

This appendix reviews common locations in the Windows and Windows
Internet-related registries where you can find data of forensic interest.
•

NTUSER.DAT Information on page 2

•

SAM Information on page 19

•

SECURITY Information on page 21

•

SOFTWARE Information on page 21

•

SYSTEM Information on page 28

Note: Under the Version column, an “XP” indicates that this information
is found in XP. A “V” references Vista, and a “7” references
Windows 7 in its first release. If no notation is made in the Version
column, it means this was found in XP, but not tested in other
versions.

9-25-10

Location

Description

When
Updated

Information

File

Access 2007
MRU

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Office\12.0\Access\ Settings

MRU list for MS Access Database files When
(MRU1-MRU9).
database is
closed

Office 2007

Access 2007
MRU Dates

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Office\12.0\Access\Settings

Tracks date of last access associated
with MRU1-9 (MRUDate1MRUDate9).

Office 2007

When
database is
closed

Access Recent NTUSER.DAT NTUSER.DAT\Software\Microsoft\offic Microsoft Access* recent databases in Immediately
Databases
e\version\ Common\Open Find\
the “value” value.
Microsoft Office Access\Settings\
File New Database\File Name MRU
Adobe

NTUSER.DAT NTUSER.DAT\Software\Adobe\*

Lists Adobe products such as
Acrobat* and FrameMaker*.

AIM

NTUSER.DAT NTUSER.DAT\Software\America
Online\AOL InstantMessenger\
CurrentVersion\Users\ username

Lists IM contacts, file transfer
information, etc.

Immediately

AIM Away
Messages

NTUSER.DAT NTUSER.DAT\Software\America
Online\AOL Instant Messenger(TM)\
CurrentVersion\Users\screen name\
IAmGoneList

Shows default and customized Away
messages.

Immediately

AIM File
Transfers &
Sharing

NTUSER.DAT NTUSER.DAT\Software\America
Online\AOL Instant Messenger\
CurrentVersion\Users\screen name\
Xfer

Shows settings for file transfers and
sharing.

Immediately

Version

Pre Office 2007

AccessData Supplemental Appendix

NTUSER.DAT INFORMATION

9-25-10

Information

File

Location

Description

When
Updated

AIM Last User NTUSER.DAT NTUSER.DAT\Software\America
Online\AOL Instant Messenger (TM)\
CurrentVersion\Login - Screen Name

Shows the screen name of the last
logged-in user.

At login

AIM Profile
Info

NTUSER.DAT NTUSER.DAT\Software\America
Online\AOL Instant Messenger\
CurrentVersion\Users\screen
name\DirEntry

Shows user profile information
(optional).

Immediately

AIM Recent
Contacts

NTUSER.DAT NTUSER.DAT\Software\America
Online\AOL Instant Messenger\
CurrentVersion\users\ username\
recent IM ScreenNames

Shows a list of recently contacted
buddies.

When the
application
closes.

AIM
Registered
Users

NTUSER.DAT NTUSER.DAT\Software\America
Online\AOL Instant Messenger\
CurrentVersion\Users

Shows registered AIM users on the
machine.

At sign-on

AIM Saved
Buddy List

NTUSER.DAT NTUSER.DAT\Software\America
Shows the directory path of a saved
Online\AOL Instant Messenger\
Buddy List, a BLT file.
CurrentVersion\Users\username\Config
Transport

Application
Information

NTUSER.DAT NTUSER.DAT\Software\%Application
Name%

This class of registry keys contains the NA
information each application stores in
the registry.

Autorun
USBs, CDs,
DVDs

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Explorer\
AutoplayHandlers / DisableAutoplay

0=Enabled

Immediately

N/A

XP, V

Registry Quick Find Chart

1=Disabled

Version

File

Description

Version

BitLocker To
Go

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\
FveAutoUnlock\

Indicates the user-selected Remember Upon
7
a USB setting to bypass entering the selecting,
password on this system.
recognize the
drive on this
machine

CD Burning

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CD Burning\Drives\Volume\
Current Media

May show previous CD/DVD volume
names inserted under Disc Label
value. Normally, removes volume
name on dismount.

N/A

CD Burning

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CD Burning\ Current Media /
Disc Label

Current Media subkey created upon
mounting drive. Removed on
dismount.

Upon
XP
mounting and
dismounting

Chat Rooms

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
profiles\screen name\Chat

Shows information for chat rooms
visited or created.

Immediately

Converted
Wallpaper

NTUSER.DAT NTUSER.DAT\\Control Panel\Desktop

Identifies graphics that are converted Immediately
to wallpaper.

XP, V, 7

Converted
Wallpaper

NTUSER.DAT NTUSER.DAT\\Control Panel\Desktop

Identifies date and time of converted
wallpaper.

Immediately

XP, V, 7

Drives
mounted by
user

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Explorer\
MountPoints2\

Track the GUID from the
MountedDevices GUID in the
SYSTEM file

Immediately

XP, V, 7

V, 7

AccessData Supplemental Appendix

Location

When
Updated

Information

9-25-10

Information

File

Location

EFS

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
WindowsNT\CurrentVersion\EFS\
CurrentKeys

Description

When
Updated

Version

XP, V, 7

Excel 2007
NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Autosave Info
Office\12.0\Excel\ Resiliency\
Document Recovery\

Saves info about currently opened
Excel documents.

When
document is
opened and
when saves
are made

Office 2007

Excel 2007
MRU

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Office\12.0\Excel\ File MRU

MRU List for MS Excel spreadsheets
(Item1-Item50).

When
document is
Note: The 2nd bracketed number is a opened
64-bit date/time stamp of when the
document was opened.

Office 2007

Excel Recent
Spreadsheets

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
office\version\ Common\Open Find\
Microsoft Office Excel\Settings\
Save As\File Name MRU

Microsoft Excel recent spreadsheets
in the “value” value.

Immediately

Pre Office 2007

File Extension NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Associations
Windows\ CurrentVersion\Explorer\
FileExts\.EXT Type

Lists file extension associations and
files that have been opened with the
Open With command.

Immediately

XP, V, 7

File
Extensions\
Program
Association

Identifies associated programs with
file extensions.

Immediately

XP, V, 7

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts

Registry Quick Find Chart

Lists the current user’s certificate
NA
thumbprint. (Each user has a unique
certificate thumbprint.) The same
certificate thumbprint is contained in
the $EFS alternate data stream for
every EFS file encrypted by the
current user.

File

Location

Folders NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Stream MRUs
Windows\ CurrentVersion\
Explorer\StreamMRU
FTP

When
Updated

Version

Info on stored folders.

Immediately

N/A

XP, V, 7

NTUSER.DAT NTUSER.DAT\Software\Microsoft\FTP\ Local FTP accounts.
Accounts\

Google Client NTUSER.DAT NTUSER.DAT\Software\Google\
History
NavClient\1.1\History

ICQ

Description

Contains a list of search terms with
Immediately
date and time stamps if Google is
included in the Internet Explorer task
bar.

NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\* Lists IM contacts, file transfer
information, etc.

9-25-10

ICQ Last User NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\
Owners - LastOwner

Shows the last logged-in user.

At logon

ICQ
Nickname

NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\
Owners\UIN - Name

Nickname of user (optional value).

At logon

ICQ
Registered
Users

NTUSER.DAT NTUSER.DAT\Software\Mirabilis\ICQ\
Owners\UIN

UIN folder is named for the user.

At logon

IE Auto
Logon and
password

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Protected Storage System Provider\
SID\Internet Explorer\Internet
Explorer - URL: StringData

Stores IE auto logon IDs and
passwords with date and time stamp.

Immediately

IE6 and below

IE Auto–
Complete
Passwords

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Internet Explorer\IntelliForms

Stores web page auto-complete
passwords. These are encrypted
values.

Immediately

IE6 and below

AccessData Supplemental Appendix

Information

9-25-10

Location

Description

When
Updated

File

IE Auto–
Complete
Web
Addresses

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Protected Storage System Provider

Lists web pages wherein autocomplete Immediately
was utilized.

IE6 and below

IE Cleared
Browser
History
on/off

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Internet Explorer\ Privacy /
ClearBrowserHistoryOnExit

0=Off (default)

Upon
changing
value in GUI

XP, V, 7

IE Default
Download
Directory

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Internet Explorer

Identifies the default download
directory when utilizing Internet
Explorer.

Immediately

All

IE Favorites
List

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
MenuOrder\ Favorites\

Lists favorites from IE Favorites drop
down selector.

N/A

XP, V, 7

IE History
Status

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Internet
Settings\ 5.0\Cache\Extensible Cache\

Mirrors existing history folder storage N/A
hidden from the user in the history
files.

XP, V, 7

IE
IntelliForms

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Internet Explorer\ IntelliForms

Encrypted user data in Storage1 and
Storage2 (old PSSP info)

IE7 and above

IE Search
Terms

NTUSER.DAT NTUSER.DAT\Software\Miscrosoft\
Protected Storage System Provider\
SID\Internet Explorer\
Internet Explorer - q:StringIndex

Stores IE search terms with date and
time stamp.

1=On
Privacy subkey appears only on first
change by user.

Immediately

Version

IE6 and below

Registry Quick Find Chart

Information

Version

Stores IE settings such as start page,
save directory, home page, and
download location.

Immediately

Through IE8

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Internet Explorer\Typed URLs

Stores data entered into the URL
Address Bar.

When the
application
closes

Through IE8

IE URL
History —
Days Saved

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Internet
Settings\URL History - DaysToKeep

The number of days the system stores Immediately
URLs visited in IE. The default is 20
days.

Through IE8

IE Web Form
Data

NTUSER.DAT NTUSER.DAT\Software\Microsoft\Prot
ected Storage System Provider\SID\
Internet Explorer\Internet Explorer q:StringIndex

Stores form data provided within IE.

Immediately

IE6 and below

IM Contact
List

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
MessengerService\ListCache\.NET
Messenger Service

Contains Contact, Allow, Block, and
Reverse entries.

At sign-off

IM File
Sharing

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Shows if file sharing is turned on.
MSNMessenger\FileSharing - Autoshare

Immediately

IM File
Transfers

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Messenger Service - FtReceiveFolder

Shows the location of the Received
Files folder.

Immediately

IM File
Transfers

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
MSNMessenger\- FTReceiveFolder

Shows the location of the Received
Files folder.

Immediately

IM Last User

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
MessengerService\ListCache\.NET
Messenger Service - IdentityName

Screen name of last logged-in user.

At sign-off

File

Location

IE Settings

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Internet Explorer\ Main

IE Typed
URLs

Description

AccessData Supplemental Appendix

When
Updated

Information

9-25-10

Location

File

IM Logging
Enabled

NTUSER.DAT NTUSER.DAT\Software\Microsoft\MSN Shown if message logging is turned
Messenger\PerPass portSettings\
on.
##########\- MessageLoggingEnabled

IM Message
History

NTUSER.DAT NTUSER.DAT\Software\Microsoft\MSN Shows the location of message history Immediately
Messenger\PerPass portSettings\
files.
##########\- MessageLog Path

IM MSN
Messenger

NTUSER.DAT NTUSER.DAT\Software\Microsoft
MessengerService\ ListCache\.NET
MessngerService\*

Contains IM groups, contacts, file
transfer information, etc. for MSN
Messenger.

IM Saved
Contact List

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Messenger Service - ContactListPath

Shows the location of a saved Contact Immediately
List (CTT) file.

IMV Usage

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
IMVironments (global value)

Shows usage of IMVironments.

Immediately

IMVs MRU list NTUSER.DAT SNTUSER.DAT\oftware\Yahoo\Pager\
profiles\screen name\IMVironments
(user- specific value)

Shows usage of IMVironments.

Immediately

Jump List on
Taskbar

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Explorer\
Taskband / Favorites and
FavoritesResolve

Shows applications pinned to the
Upon pinning 7
taskbar. Retains removed applications.

Kazaa

NTUSER.DAT NTUSER.DAT\Software\Kazaa\*

Stores configuration, search,
download, IM data, etc. for Kazaa.

Contains a most recently used list of
mapped network drives.

Version

Immediately

Most on
signoff;
however,
FTReceive is
immediate.

XP, V, 7

Registry Quick Find Chart

Map Network NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Drive MRU
Windows\CurrentVersion\Explorer\
Map Network Drive MRU

Description

When
Updated

Information

File

Description

Version

Media Player
Recent List

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
MediaPlayer\Player\ RecentFileList

Contains the user's most recently used Immediately
list for Windows Media Player.

MRU—Last
Visited

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
ComDlg32\

Lists the application and filename of
the most recent files opened in
Windows.

Immediately

XP, V, 7

MRU—Open
Saved

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Explorer\
ComDlg32\OpenSaveMRU

Lists the filename and path of the
most recent files saved or copied to a
specific location in Windows.

Immediately

XP, V, 7

MRU—
Recent
Documents

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Explorer\
RecentDocs\

Identifies the documents in the
Immediately
Recent Documents list available from
the Windows Start menu.

XP, V, 7

MRU—Run
MRU

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
RunMRU

Lists the most recent commands
entered in the Windows Run box.

Immediately

XP, V, 7

MRUs Common
Dialog

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersions\Explorer\
ComDlg32

Last Visited=Application Used

Immediately

XP, V, 7

MUICache

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\Shell\MUICache

Tracks the opening of executable files Immediately
by the operating system.

OpenSaveMRU=Recent Docs using
the Microsoft Save As Dialog Box
V

Note: In Windows 7, MUICache
moved from NTUSER.DAT to
HKCR\LocalSettings\MuiCache.
MUICache XP

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ShellNoRoam\MUICache

Tracks the opening of executable files Immediately
by the operating system

AccessData Supplemental Appendix

Location

When
Updated

Information

9-25-10

9-25-10
©2010 AccessData Group, LLC. All Rights Reserved

Description

When
Updated

Network connections

N/A

Network NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Mapped
Windows\CurrentVersion\Explorer\
Network Drive
Map Network Drive MRU
MRU

Listed by drive letter

Immediately

Network Workgroup
Crawler

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares

Network connections crawled while
connected.

N/A

Outlook
Account
Passwords

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Stores Outlook and Outlook Express
Protected Storage SystemProvider\SID\ account passwords.
Identification\INETCOMM Server
Passwords

Outlook
Recent
Attachments

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Microsoft Outlook recent documents. Immediately
office\version\ Common\Open Find\
Microsoft Office Outlook\Settings\Save
Attachment\File Name MRU

Outlook
Temporary
Attachment
Directory

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Office\version\ Outlook\Security

Identifies the location where
Immediately
attachments are stored when they are
opened from Outlook.

Paint MRU

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Applets\
Paint\Recent File List

MRU for MS Paint documents (File1- Upon closing
File9)
the
application

Information

File

Location

Network Computer
Description

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
ComputerDescriptions

Version

XP, V, 7

Immediately

Registry Quick Find Chart

XP, V, 7

Version

Immediately

When
document is
opened and
when saves
are made

Office 2007

When
document is
Note: The second bracketed number opened
is a 64-bit date/time stamp of when
the document was opened.

Office 2007

PowerPoint— NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Recent PPTs
office\version\ Common\Open Find\
Microsoft Office PowerPoint\Settings\
Save As\File Name MRU

Microsoft PowerPoint recent
documents.

Unknown

Pre Office 2007

Printer—
Default

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
WindowsNT\CurrentVersion\Windows

Identifies the current default printer.

Immediately

XP, V, 7

Printer—
Default

NTUSER.DAT NTUSER.DAT\\printers

Identifies the current default printer.

On shutdown XP, V, 7

File

Location

POP3
Passwords

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Internet Account Manager\Accounts\
0000000#

Description
Identifies the current user’s POP3
passwords.
Note: # is a digit identifying that
particular account.

PowerPoint
NTUSER.DAT NTUSER.DAT\Software\Microsoft\
2007 Autosave
Office\12.0\ PowerPoint\Resiliency\
Info
DocumentRecovery\

Saves info about currently opened
PowerPoint documents.

PowerPoint
2007 MRU

MRU List for MS PowerPoint
spreadsheets (Item1-Item50).

NTUSER.DAT SNTUSER.DAT\oftware\Microsoft\
Office\12.0\
PowerPoint\File MRU

AccessData Supplemental Appendix

When
Updated

Information

9-25-10

Location

Description

When
Updated

Information

File

Version

Publisher
2007 MRU

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Office\12.0\Publisher\Recent File List

MRU List for MS Publisher
documents (File1-File9).

When
document is
opened

Office 2007

Publisher—
Recent
Documents

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
office\version\ Common\Open Find\
Microsoft Office Publisher\Settings\
Save As\File Name MRU

Microsoft Publisher recent
documents.

Unknown

Pre Office 2007

Recycle Bin
Info

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
BitBucket\ Volume\

Tracks recycle bin info by GUID
N/A
(track GUID back to MountedDevices
in the SYSTEM file), Max Capacity in
MB, NukeOnDelete.

V, 7

0=Bin being used (default)
1= Bin is being bypassed
Regedit Favorites

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\
Applets\Regedit\ Favorites

Displays user selected favorites in
Regedit Utility.

Immediately XP, V, 7
after entering

Regedit - Last NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Key Saved
Windows\ CurrentVersion\Applets\
Regedit / LastKey

Displays last subkey Regedit was on
when closed down

Upon closing
Regedit.

Run

Lists programs that run automatically NA
when the user logs on.

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Run

XP, V, 7

XP, V, 7
Registry Quick Find Chart

Version

Immediately

XP, V, 7

Screen Saver
Password
Enabled

NTUSER.DAT NTUSER.DAT\Control Panel\Desktop / 0=No Password Required
Immediately
ScreenSaverIsSecure
1=Password Required if screen saver is
active

XP, V, 7

Screen Saver
Timeout

NTUSER.DAT NTUSER.DAT\Control Panel\Desktop / Length of time, in seconds, before the Immediately
ScreenSaveTimeOut
screen saver becomes active.

XP, V, 7

File

Location

Description

Screen Saver
Enabled

NTUSER.DAT NTUSER.DAT\Control Panel\Desktop / 1=Active
ScreenSaveActive
0=Disabled
The path/name displays at
SCRNSAVE.EXE.

Note: In Windows 7,
ScreenSaveActive retains a 1 whether
enabled or not, but the path/name
appears on enable and disappears on
disable.

Screen Savers NTUSER.DAT NTUSER.DAT\Control Panel\Desktop\
and wallpaper

Identifies the system’s screen saver
and wallpaper.

Immediately

XP, V, 7

ShellBags

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\Shell\ BagMRU

Pointers to link history and other file
and folder information.

Start Menu
Program List

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
MenuOrder\ Programs\

Program listing drawn to the Start
button.

N/A

AccessData Supplemental Appendix

When
Updated

Information

9-25-10

9-25-10
©2010 AccessData Group, LLC. All Rights Reserved

Description

When
Updated

Start Searches NTUSER.DAT NTUSER.DAT\Software\Microsoft\
entered by
Windows\ CurrentVersion\Explorer\
user
WordWheelQuery

In Windows 7, traps search terms
entered by the user in the Start >
Search box.

After hitting
the enter
button.

Start Searches NTUSER.DAT NTUSER.DAT\Software\Microsoft\
entered by
SearchAssistant\ ACMru\<5###>
user

Searches from the built-in search
engine.

Immediately

Startup
Software

Stores the applications automatically
launched at boot time.

XP, V, 7

Information

File

Location

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Run

Version

5001=Internet Searches 5603=Files
and Folders 5604=Pictures and Music
5647=Computers and People

This key is a good place to look for
trojans.
Startup
Software

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\RunOnce

Stores the applications automatically
launched at boot time.
This key is a good place to look for
trojans.

Theme—
Current
Theme

Identifies the Desktop theme and
wallpaper.

Unknown

XP, V, 7

Theme—Last NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Theme
Windows\CurrentVersion\Themes\
Last Theme

Identifies the Desktop theme and
wallpaper.

Immediately

XP, V

Type Paths
NTUSER.DAT NTUSER.DAT\Software\Microsoft\
into Windows
Windows\CurrentVersion\Explorer\
Explorer
TypedPaths

User typed (or pasted) paths into
Windows Explorer address bar

Upon hitting
.

Registry Quick Find Chart

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Themes

File

Location

UserAssist

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Explorer\
UserAssist\

Description

When
Updated

Application usage showing last access Immediately
and number of launches of
applications.

Version
XP, V

Note: GUID 750 is used in versions
2000, XP, and Vista.
UserAssist
©2010 AccessData Group, LLC. All Rights Reserved

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Explorer\
UserAssist\

Application usage showing last access Immediately
and number of launches of
applications.

Note: Change to GUID F4E in
Windows 7 for application launch
info.
Windows
Explorer
Settings

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\ CurrentVersion\Explorer\
Advanced

Sets Windows Explorer preferences.

Immediately

XP, V, 7

WinZip Accessed
Archives

NTUSER.DAT NTUSER.DAT\Software\Nico Mak
Computing\filemenu / filemenu##

Path back to accessed Zip archives

Immediately

11.1

WinZip Extraction
MRU

NTUSER.DAT NTUSER.DAT\Software\Nico Mak
Computing\ Extract / extract#

The path to which Zip archives are
extracted.

Immediately

11.1

WinZip Location
Extracted To

NTUSER.DAT NTUSER.DAT\Software\Nico Mak
Computing\ Directories / ExtractTo

Last location to which a Zip archive
was extracted.

Immediately

11.1

WinZip Registered
User

NTUSER.DAT NTUSER.DAT\Software\Nico Mak
Computing\ WinIni / Name 1

Registered user for installation

N/A

11.1

AccessData Supplemental Appendix

Information

9-25-10

9-25-10
©2010 AccessData Group, LLC. All Rights Reserved

Description

When
Updated

Version

NTUSER.DAT NTUSER.DAT\Software\Nico Mak
Computing\ Directories / ZipTemp

WinZip temporary file location

N/A

11.1

WinZip - Zip
Creation
Location

NTUSER.DAT NTUSER.DAT\Software\Nico Mak
Computing\ Directories / AddDir

Last location from which a Zip file was Immediately
created.

11.1

WinZip - Zip
Creation
Location

NTUSER.DAT NTUSER.DAT\Software\Nico Mak
Computing\ Directories / DefDir

Last location to which a Zip file was
created or opened.

Immediately

11.1

When
document is
opened and
when saves
are made

Office 2007

Information

File

WinZip Temp File

Location

Word 2007
NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Saves info about currently opened
Autosave Info
Office\12.0\Word\ Resiliency\Document Word documents.
Recovery\

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Office\12.0\Word\ File MRU

MRU List for MS Word documents
(Item1-Item50).

When
document is
Note: The second bracketed number opened
is a 64-bit date/time stamp of when
document was opened.

Office 2007

Word—
Recent Docs

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
office\version\ Common\Open Find\
Microsoft Office\Word\Settings\Save
As\File Name MRU

Microsoft Word recent documents in
the “value” value.

Unknown

Pre Office 2007

Word—User
Info

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
office\version\ Common\UserInfo

Identifies the user information
entered when installing Microsoft
Office. Note this information may be
modified after installation.

Unknown

Pre Office 2007

Registry Quick Find Chart

Word 2007
MRU

File

Description

WordPad
MRU

NTUSER.DAT NTUSER.DAT\Software\Microsoft\
Windows\CurrentVersion\Applets\
Wordpad\Recent File List

MRU for MS Paint documents (File1- When
File9).
document is
closed

Yahoo!

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
Profiles\*

Stores IM contacts, file transfer
information, etc. for Yahoo!.

Yahoo! File
Transfers

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
File Transfer (global value)

Shows number of transfers in and out. Immediately

Yahoo! File
Transfers

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\pr Shows settings for file transfers.
ofiles\
screen name\FileTransfer (user specific)

Immediately

Yahoo!
Identities

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
profiles\screen name - All Identities,
Selected Identities

Shows alternate user identities.

Unknown

Yahoo! Last
User

NTUSER.DAT NTUSER.DAT\Software\Yahoo\
Pager - Yahoo! User ID

Last logged-in user.

Immediately

Yahoo!
Message
Archiving

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
profiles\screen name\Archive

Shows settings for message archiving.

Immediately

Yahoo!
Password

NTUSER.DAT NTUSER.DAT\Software\Yahoo\
Pager - EOptions string

Encrypted password.

Immediately

Yahoo!
Recent
Contacts

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
profiles\screen name\IMVironments\
Recent

Shows recent contacts and which IMV Immediately
was used.

Yahoo! Saved
Password

NTUSER.DAT NTUSER.DAT\Software\Yahoo\
Pager - Save Password

Shows if the password is saved.

Immediately

Version
XP, V, 7

AccessData Supplemental Appendix

Location

When
Updated

Information

9-25-10

Information

File

Location

Description

When
Updated

Yahoo! Screen NTUSER.DAT NTUSER.DAT\Software\Yahoo\Pager\
Names
profiles\screen name

Shows registered screen names and
identities.

Immediately

Yserver

Points to a directory location for file
transfer information.

NTUSER.DAT NTUSER.DAT\Software\Yahoo\Yserver

Version

SAM INFORMATION
©2010 AccessData Group, LLC. All Rights Reserved

When
Updated

File

Location

Description

Version

Account Expiration

SAM

SAM\Domains\Account\Users\F Key

Bytes 33-40 store the account NA
expiration. If no expiration is
set, FF FF FF FF shows.

XP, V, 7

Group Names Custom

SAM

SAM\Domains\Account\Aliases\Names

List of custom groups by
name.

Immediately

XP, V, 7

Group Names - Local

SAM

SAM\Domains\Builtin\Aliases\Names

List of local group names.

Immediately

XP, V, 7

Groups - Custom

SAM

SAM\Domains\Account\Aliases\

List of custom groups by RID. Immediately

XP, V, 7

Groups - Local

SAM

SAM\Domains\Builtin\Aliases\

Listed of local groups by RID. Immediately

XP, V, 7

Home Group

SAM

SAM\SAM\Domains\Account\Users Home Group in RID and Names

Last Failed Login

SAM

SAM\Domains\Account\Users\F Key

Last Logon Time

SAM

SAM\Domains\Account\Users\F Key

N/A

Bytes 41-48 store the last
unsuccessful logon.

XP, V, 7

Bytes 9–16 store the last logon time.

XP, V, 7

Registry Quick Find Chart

Information

File

Location

Description

Last Time Password
Changed

SAM

SAM\Domains\Account\Users\F Key

Bytes 25–32 store the last time NA
the password was changed.

XP, V, 7

Local Groups

SAM

SAM\Domains\Builtin\Aliases\Names

Lists local account security
identifiers.

XP, V, 7

Local Users

SAM

SAM\Domains\Account\Users\Names

Lists local account security
identifiers.

XP, V, 7

Machine SID
Location

SAM

SAM\Domains\Account / V

Last twelve bytes of the V
value.

N/A

XP, V, 7

Password Hint

SAM

SAM\Domains\Account\Users\\
F_Value\UserPasswordHint

Shows a logon password hint
if initiated by the user

User Name and SID

SAM

SAM\Domains\Account\Users\V Key

Contains the username and
SID in hex.

Note: See “User Name and SID” in
SOFTWARE Information on page 21.

You must convert the last
three hex numbers to decimal
to determine the decimal
version of the SID that is used
in the Recycler and System
Volume Information folder.

Version

V, 7
NA

XP, V, 7

AccessData Supplemental Appendix

When
Updated

Information

9-25-10

SECURITY INFORMATION

Information

File

Location

Description

When Updated

Version

Passwords—
Cached
Administrative
Passwords

SECURITY

SECURITY\Policy\Secrets\
DefaultPassword / CurrVal and
OldVal

CurrVal holds the current
administrative password and OldVal
holds the previous.

N/A

XP, 7

Passwords—
Cached
Domain
Passwords

SECURITY

SECURITY\Cache / NL$#

Default stores up to 10 set in
SOFTWARE file.

N/A

SOFTWARE INFORMATION
Information

File

Location

Description

When Updated

Version

Auto Logon
Set

SOFTWARE

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon /
AutoAdminLogon

1= allow auto logon

Immediately

XP, V

Auto Logon
SOFTWARE
Set - Password

SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ Winlogon /
DefaultPassword

If autologon is set, the password
must be present in this value in the
clear

Immediately

XP, V

Class
Identifiers

SOFTWARE\Classes\CLSID

Class identifier information, GUIDs N/A
on Applications and processes.

XP, V, 7

SOFTWARE\Microsoft\Windows\
CurrentVersion\Group Policy\
GroupMembership

List of groups with which user is
associated.

XP, V, 7

Group
SOFTWARE
Memberships

The value won't exist unless the user
set up autologon.

Immediately

Registry Quick Find Chart

SOFTWARE

0=disabled

File

Location

Description

Home Group

SOFTWARE

SOFTWARE\Microsoft\Windows\
CurrentVersion\HomeGroup\
SharingPreferences\

ICQ
Information

SOFTWARE

SOFTWARE\Mirabilis\ICQ\Owner

Indexed
Folders

SOFTWARE

SOFTWARE\Microsoft\Window Search\ Reports the folders currently being
CrawlScopeManager\ Windows\
indexed for the Search utility.
SystemIndex\ WorkingSetRules\<#>

Upon adding a
folder.

V, 7

Install Date

SOFTWARE

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion

Lists the date the operating system
was installed.

XP, V, 7

Installed
Application
List

SOFTWARE

SOFTWARE\Microsoft\Windows\
CurrentVersion\ Uninstall

List of installed applications to use
for uninstall.

N/A

XP, V, 7

Installed
Application
List

SOFTWARE

SOFTWARE\Wow6432Node\

List of installed 32-bit applications.

N/A

Installed
Application
List

SOFTWARE

SOFTWARE\Wow6432Node\Microsoft\ List of executables for installed
Windows\CurrentVersion\ SharedDLLs applications.

N/A

Installed
Application
List

SOFTWARE

SOFTWARE\Microsoft\Windows\
Installed list of applications
CurrentVersion\ App Paths\

N/A

XP, V, 7

Installed
Internet
Browsers

SOFTWARE

SOFTWARE\Clients\StartMenuInternet List of installed Internet browsers.
\

N/A

XP, V, 7

Stores the User Identification
Number (UIN).

When Updated

Version

N/A

At logon

AccessData Supplemental Appendix

Information

9-25-10

9-25-10
©2010 AccessData Group, LLC. All Rights Reserved

File

Location

Description

When Updated

Installed
Internet
Browsers Default
Browser

SOFTWARE

SOFTWARE\Clients\StartMenuInternet Default installed Internet browser
/ default

N/A

Last Logged
on User

SOFTWARE

SOFTWARE\Microsoft\Windows\
CurrentVersion\Authentication\
LogonUI

Displays the user name of the last
logged on user, computer name,
and date/time of last logon in the
key last modified date/time stamp.
If the shutdown is normal, the
subkey is modified to logoff time.

N/A

Last User
Logged In

SOFTWARE

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion\Winlogon

Lists the last user that logged in to
the system. This can be local or
domain account.

Libraries

SOFTWARE

SOFTWARE\Microsoft\Windows
Search\Gather\Windows\SystemIndex\
StartPages\<#>

Logon
Banner
Message

SOFTWARE

SOFTWARE\\Microsoft\Windows\
CurrentVersion\Policies\System\
LegalNoticeText

Contains the banner that appears at NA
boot time. Users must click through
the log-on banner to log on to a
system.

Logon
Banner
Message

SOFTWARE

SOFTWARE\\Microsoft\Windows\
CurrentVersion\Policies\System\
LegalNoticeText

Contains user-defined data.

Logon
Banner Title

SOFTWARE

SOFTWARE\\Microsoft\Windows\
CurrentVersion\Policies\System\
LegalNoticeCaption

Contains user-defined data.

Upon creation

Version

V, 7

Registry Quick Find Chart

Information

File

Location

Description

When Updated

Logon Info— SOFTWARE
Default User
and Domain
Name

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion\Winlogon

Identifies the default user and the
associated domain name.

Logon Info— SOFTWARE
Legal Notices
on Bootup

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion\Winlogon

Contains legal notices that appear at NA
boot time. Users must click through
the log-on banner to log on to a
system.

Network
Cards

SOFTWARE

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ NetworkCards\#

Lists installed network cards. The
N/A
value can match up to the GUID
stored in the SYSTEM file at
SYSTEM\ControlSet###\Services\tcp
ip\Parameters\Interfaces\.

XP, V, 7

O\S Version

SOFTWARE

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion

Identifies the currently installed OS NA
version and service pack release.

XP, V, 7

Password Hint SOFTWARE
XP

SOFTWARE\Microsoft\Windows\
CurrentVersion\Hints\

XP Password hint storage location.

Passwords—
Cached
Logon
Password
Maximum

SOFTWARE

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon

Control of max passwords stored in N/A
the cached passwords in SECURITY
file.

Printer
SOFTWARE
Properties for
Installed
Printers

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Print\Printers\

Detailed printer information,
including user-entered properties
from Control Panel.

N/A

XP, V, 7

Product ID

SOFTWARE\Microsoft\Windows NT\
CurrentVersion

Lists the Windows OS product key.

XP, V, 7

SOFTWARE

Immediately

Version

AccessData Supplemental Appendix

Information

9-25-10
©2010 AccessData Group, LLC. All Rights Reserved

Information

File

Location

Description

When Updated

Version

Product
Name

SOFTWARE

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion

Lists the name of the operating
system.

XP, V, 7

Profile list

SOFTWARE

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion\ProfileList

Contains the user security identifier NA
for users with a profile on the
system.

XP, V, 7

ReadyBoost
Attachments

SOFTWARE

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ EMDMgmt\

List of attached USB devices for
ReadyBoost utility.

N/A

V, 7

Recycle Bin
Info - XP

SOFTWARE

SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\BitBucket\

Windows XP Recycler info by drive
letter, Max Capacity in MB,
NukeOnDelete

N/A

0=Bin being used (default)
1= Bin is being bypassed
SOFTWARE

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion

Identifies the registered
organization entered during
installation. Note this information
may be modified after installation.

XP, V, 7

Registered
Owner

SOFTWARE

SOFTWARE\\Microsoft\Windows NT\
CurrentVersion

Identifies the registered owner
entered during installation. Note
this information may be modified
after installation.

XP, V, 7

Restore Point SOFTWARE
Information

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ SystemRestore

System Restore parameters

N/A

Restricted
Access to
Removable
Media

SOFTWARE\\Microsoft\WindowsNT\
CurrentVersion\ Winlogon

Lists allocated CD-ROMS and
NA
floppies that are set to 0 (restricted).

SOFTWARE

Registry Quick Find Chart

Registered
Organization

File

Location

Description

When Updated

Version

Run

SOFTWARE

SOFTWARE\Microsoft\Windows\
CurrentVersion\ Run

Lists programs that run
automatically when the system
boots.

XP, V, 7

Startup
Location

SOFTWARE

SOFTWARE\Microsoft\Command
Processor / AutoRun

The AutoRun runs any application
noted when cmd.exe is run.

N/A

Startup
Location

SOFTWARE

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon/Userinit

Applications to start on bootup.

N/A

Startup
Software

SOFTWARE

SOFTWARE\Microsoft\Windows\
CurrentVersion\Run

Stores the applications automatically NA
launched at boot time.

XP, V, 7

This key is a good place to look for
trojans.
Startup
Software

SOFTWARE

SOFTWARE\\Microsoft\Windows\
CurrentVersion\ RunOnce

Stores the applications automatically NA
launched at boot time.

XP, V, 7

This key is a good place to look for
trojans.
System
Restore Info

SOFTWARE

SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\ SystemRestore

Time
SOFTWARE
Synchronizati
on with
Internet Servers

SOFTWARE\Microsoft\Windows\
CurrentVersion\ DateTime\Servers

Turn off UAC SOFTWARE
Behavior

SOFTWARE\Microsoft\Widows\
CurrentVersion\Policies\System\
ConsentPromptBehaviorAdmin Value

System Restore settings and info

V, 7
N/A

Turn off the prompts to Continue
when running a program needing
elevated rights. Turns off Cancel or
Allow. 0 is off, 2 is on (Default)

XP, V, 7

V, 7

AccessData Supplemental Appendix

Information

9-25-10

Information

File

Location

Description

When Updated

Version

UAC – On or
Off

SOFTWARE

SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\System\
EnableLUA_Value

Identifies whether the UAC is on or
off. By default it is on: value 1. If off:
value 0

V, 7

USB ID linked SOFTWARE
to Volume
Serial
Number

SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\EMDMgmt

Tracks USB keys by identifier and by
volume serial number. Date and
time if tested to be used as cache is
stored along with USB size

V, 7

User Account SOFTWARE
Control

SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\System

UAC status

Upon changing V, 7

1=Enabled
0=Not Enabled

User Name
and SID

SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\ ProfileList\

Contains the username and SID in
hex.

Note: See “User Name and SID” in
SAM Information on page 19.

You must convert the last three hex
numbers to decimal to determine
the decimal version of the SID that
is used in the Recycler and System
Volume Information folder.

SOFTWARE\Nico Mak Computing

Contains WinZip information.

Wireless Vista, SOFTWARE
Windows 7

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ NetworkList\Profiles\

Each GUID is a connection.

N/A

V, 7

Wireless Vista, SOFTWARE
Windows 7

SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ NetworkList\
Signatures\Managed
(or Unmanaged)\

Managed tracks hardwired
connections,

N/A

V, 7

WinZip
Information

SOFTWARE

XP, V, 7

Registry Quick Find Chart

Unmanaged tracks wireless
connections.

File

Location

Wireless XP

SOFTWARE

Wireless XP

SOFTWARE

Description

When Updated

Version

SOFTWARE\Microsoft\WZCSVC\
SSIDs are located in the Static#
Parameters\Interfaces\{0E271E68-9033- values followed by 4 digits.
4A25-9883-A020B191B3C1} /
Static#####

Immediately

SOFTWARE\Microsoft\EAPOL\
SSIDs are located in the decimal
Parameters\Interfaces\{0E271E68-9033- number values.
4A25-9883-A020B191B3C1} / #

N/A

When Updated

Version

N/A

XP, V, 7

SYSTEM INFORMATION
Information

File

Location

Description

$MFT Zone
Definition

SYSTEM

SYSTEM\ControlSet###\Control\
Values 1-4:
FileSystem / NtfsMftZoneReservation 1=12.5%
2=25%
3=37.5%
4=50%
These values are defined according to
Microsoft; however, values of 0 are
common defaults and may be the
same as a 1.

Automatic
time zone
adjustment

SYSTEM

9-25-10

Clearing Page SYSTEM
File at
Shutdown

SYSTEM\ControlSet###\Control\
TimeZoneInformation\
DynamicDaylightTimeDisabled Value

0 Default – On

SYSTEM\ControlSet###\Control\
Session Manager\Memory
Management /
ClearPageFileAtShutdown

0=Off (default)

V, 7

1 Disabled

1=On

N/A

XP, V, 7

AccessData Supplemental Appendix

Information

File

Location

Description

When Updated

Version

Computer
Name

SYSTEM

SYSTEM\ControlSet###\Control\
ComputerName\ComputerName

Identifies the computer’s name
defined in System Properties.

XP, V, 7

Current
Control Set

SYSTEM

SYSTEM\Select

Identifies which control set is current. NA

XP, V, 7

Current
Control Set

SYSTEM

SYSTEM\Select\Current

Contains information about the
system’s configuration settings.

XP, V, 7

Display

SYSTEM

SYSTEM\ControlSet###\Enum\
Display

Monitor settings

N/A

XP, V, 7

DLLs Loaded SYSTEM
at Bootup

SYSTEM\ControlSet###\Control\
SessionManager\KnownDLLs

Listing of implicitly loaded DLL files
at startup.

Dynamic Disk SYSTEM

SYSTEM\\ControlSetXXX\Services\
Identifies the most recent dynamic
DMIO\Boot Info\Primary Disk Group disk mounted in the system.

XP, V, 7

Event Log
Restrictions

SYSTEM

SYSTEM\ControlSet###\Services\
EventLog\ Application

Identifies who can read your event
logs. A value of 1 restricts access; 0
permits access for guest and mull
users.

XP, V, 7

Event Logs

SYSTEM

SYSTEM\ControlSetXXX\Services\
Eventlog

Identifies the location of Event logs.

XP, V, 7

Firewall
Enabled

SYSTEM

SYSTEM\ControlSet###\Services\
SharedAccess\ Parameters\
FirewallPolicy\ StandardProfile /
EnableProfile

0=Off

Immediately

XP, V, 7

Floppy Disk
Information

SYSTEM

SYSTEM\ControlSet###\Enum\FDC\

Floppy disk controller info.

N/A

XP, V, 7

Home Group

SYSTEM

SYSTEM\ControlSet###\services\
HomeGroupProvider\ServiceData

N/A

1=On (default)

Registry Quick Find Chart

Information

File

Location

Description

When Updated

Version

Human
Interface
Devices

SYSTEM

SYSTEM\ControlSet###\Enum\HID

Includes keyboards, mice, trackballs,
etc.

N/A

XP, V, 7

IDE Device
Information

SYSTEM

SYSTEM\ControlSet###\Enum\IDE\

HDD, CD, DVD, and other attached
hardware.

N/A

XP, V, 7

Last Accessed SYSTEM
Date and
Time setting

SYSTEM\ControlSet###\Control\
FileSystem\NtfsDisableLastAccessUpdate
Value

0 On

LPT Device
Information

SYSTEM\ControlSet###\Enum\
LPTENUM\

Parallel printer information to LPT
port.

N/A

XP, V, 7

Memory
SYSTEM
Saved During
Crash

SYSTEM\ControlSet###\Control\
CrashControl / DumpFile

Shows path to crash dump memory
capture.

N/A

XP, V, 7

Memory
SYSTEM
Saved During
Crash
Enabled

SYSTEM\ControlSet###\Control\
CrashControl / CrashDumpEnabled

0=None

N/A

XP, V, 7

Immediately

XP, V, 7

SYSTEM

XP, V, 7

1 Default - Disabled

1=Complete
2=Kernel Memory Dump
3=Small Memory Dump (64k)

Mounted
Devices

SYSTEM

SYSTEM\MountedDevices

Lists current and prior mounted
devices that use a drive letter.

Mounted

SYSTEM

SYSTEM\MountedDevices\

Change: Now using USB ID and not
ParentIDPrefix

Network
Cards

SYSTEM

SYSTEM\ControlSet###\Services\
tcpip\Parameters\Interfaces\

GUID matches the network card
GUIDs at Microsoft\Windows NT\
CurrentVersion\NetworkCards\#.

N/A

XP, V, 7

Number of
Processors in
System

SYSTEM

SYSTEM\ControlSet###\Control\
Session Manager\Environment /
NUMBER_OF_PROCESSORS

The value stored in this value name is N/A
the number of processors on the
system.

XP, V, 7

Devices

AccessData Supplemental Appendix

Information

9-25-10

Information

File

Location

Description

When Updated

Version

Pagefile

SYSTEM

SYSTEM\ControlSetXXX\Control\
Session Manager\Memory
Management

Contains the page file settings such as View updates
location, size, set to wipe, etc.
immediately;
however, not
effective until
reboot.

XP, V, 7

PCI Bus
Device
Information

SYSTEM

SYSTEM\ControlSet###\Enum\PCI

PCI bus device information

N/A

XP, V, 7

PDA
Information

SYSTEM

SYSTEM\ControlSet###\Enum\USB

Contains PDA information.

Prefetch

SYSTEM

SYSTEM\ControlSet###\Control\
Session Manager\Memory
Management\PrefetchParameters /
EnablePrefetcher

0=Prefetch disabled

N/A

XP, V, 7

1=Applications Only
2=Boot Only
3=Application and Boot Prefetcher

SYSTEM

SYSTEM\ControlSet###\Control\Print Contains information about the
\Environments\WindowsNTx86\
current printer.
Drivers\Version…

Immediately

XP, V, 7

Printers—
Currently
Defined

SYSTEM

SYSTEM\ControlSet###\Control\Print Lists all printers that are configured
\Printers
on the current system.

Immediately

XP, V, 7

Remote
Desktop

SYSTEM

SYSTEM\ControlSet###\Control\
Terminal Server /
fDenyTSConnections

fDenyTSConnections=1 Remote
Desktop Off

Immediately
upon change

XP, V

SYSTEM\ControlSet###\Enum\SCSI

SCSI device settings; includes VHD
device info.

N/A

XP, V, 7

SCSI Device
Information

SYSTEM

fDenyTSConnections=0 Remote
Desktop On

Registry Quick Find Chart

Printer
Information

File

Location

Description

When Updated

Version

Serial Port
Device
Information

SYSTEM

SYSTEM\ControlSet###\Enum\
SERENUM

Serial port device settings

N/A

XP, V, 7

Services

SYSTEM

SYSTEM\ControlSet###\Services

List of services.

N/A

XP, V, 7

Shared
Folders

SYSTEM

SYSTEM\ControlSet###\Services\
lanmanserver\ Shares /

List of shared folders on system.

Immediately

Shutdown
Time

SYSTEM

SYSTEM\ControlSetXXX\Control\
Windows

Lists the system shutdown time.

XP, V, 7

Startup
Location

SYSTEM

SYSTEM\ControlSet###\Control\
SessionManager\BootExecute

Software startup location.

Storage Volumes and
Removable
Media

SYSTEM

SYSTEM\ControlSet###\Control\
Enum\Volume\

Stores information on storage media, Immediately
including beginning volume offset
and size.

XP, V, 7

Storage Volumes and
Removable
Media

SYSTEM

SYSTEM\ControlSet###\Control\
Enum\ RemovableMedia\

Stores information on removable
media.

Immediately

XP, V, 7

Storage
Device
Information

SYSTEM

SYSTEM\ControlSet###\Enum\
STORAGE

HDD info including partition sizes

N/A

XP, V, 7

Note: Removed
in Vista first
release and
returned in
service pack
N/A

XP, V, 7

Note: This has not been tested in
Windows 7

AccessData Supplemental Appendix

Information

File

Location

Description

TCP\IP data

SYSTEM

SYSTEM\ControlSetXXX\Services\
TCPIP\ Parameters

Lists the current system’s domain and NA
hostname data.

XP, V, 7

TCP\IP
Settings of a
Network
Adapter

SYSTEM

SYSTEM\ControlSetXXX\Services\
adapter\ Parameters\TCPIP

Lists the current system’s IP address
and gateway information.

Immediately

XP, V, 7

Time
SYSTEM
Synchronizati
on with
Internet Enabled

SYSTEM\ControlSet###\Services\
W32Time\ Parameters / Type

NoSynch=Disabled NTP=Enabled

Immediately

XP, V, 7

Time
SYSTEM
Synchronizati
on with
Internet Type

SYSTEM\ControlSet###\Services\
W32Time\ Parameters / NtpServer

Shows current time provider (or if
Immediately
disabled, the last time provider) - NTP
is time.windows.com (default Microsoft) or time.nist.gov

XP, V, 7

Time Zone

SYSTEM

SYSTEM\ControlSet001(or002)\
Control\TimeZoneInformation\
StandardName

Identifies the time zone entered
during installation. Note this
information may be modified after
installation.

Immediately

XP, V, 7

USB Devices

SYSTEM

SYSTEM\Enum\USBSTOR

Lists the system’s USB devices.

Immediately

XP, V, 7

USB Tracking SYSTEM

SYSTEM\ControlSet###\Enum\
USBSTOR

Change: Now using USB ID and not
ParentIDPrefix

Write Block
USB Devices

SYSTEM\ControlSet###\Control\
torageDevicePolicies / Write Protect

0=Disabled
1=Enabled
Note: This began with Windows XP
Service Pack 2.

Version

V, 7
N/A

XP SP2, V, 7

Registry Quick Find Chart

SYSTEM

When Updated

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : No
XMP Toolkit                     : Adobe XMP Core 4.0-c320 44.284297, Sun Apr 15 2007 17:19:00
Creator Tool                    : PScript5.dll Version 5.2.2
Modify Date                     : 2010:10:05 22:23:27-06:00
Create Date                     : 2010:09:27 17:45:50-06:00
Metadata Date                   : 2010:10:05 22:23:27-06:00
Format                          : application/pdf
Title                           : Registry Quick Find Chart.fm
Creator                         : VISIONCORP
Producer                        : Acrobat Distiller 8.1.0 (Windows)
Document ID                     : uuid:31568a46-886f-4b63-b35d-2f8f32bbb4a5
Instance ID                     : uuid:cf7baf2b-dcec-441d-8e26-153611b3c2ca
Has XFA                         : No
Page Count                      : 33
Author                          : VISIONCORP

EXIF Metadata provided by EXIF.tools

Registry Quick Find Chart 9 27 10

Navigation menu

Versions of this User Manual:

Views

Navigation