Logo
RSS Feed

👈🏼 Back to
🪟 Windows Artefacts

🏺 Windows Registry

ShellBag

To open a file, one needs to perform a delightful jaunt to a directory where those files reside. Now picture this: imagine if we could keep a journal of all the full paths of the folders visited; wouldn’t that be splendid? It so happens that this nice functionality does exist on Windows machines and ShellBags they are called. Since these folders can be located on a remote machine, a USB drive or any other external media, this artefact can be used to make assumptions about remote connections and devices attached.

ShimCache aka AppCompatCache

How often has the following happened to you? You want to run a program, but it’s not designed to run on this version of OS. Windows has a mechanism to run older programs on newer systems. Even when these “compatibility” adjustments are not required, Windows still logs the information for all the programs run.

User Assist

GUI-based programs launched from the desktop are tracked in the launcher on a Windows system.

⚙️ Windows Registry

Hives:

C:\Documents and Settings |*\ntuser.dat
C:\Users\ |*\ ntuser. dat
C: \Users\ \*\ntuser.dat. LOG|*
C: \ Users\ |*\ AppData\Local\Microsoft\Windows| UsrClass.dat
C: | Users\|*\ AppData\ Local\Microsoft Windows| UsrClass.dat.LOG|*
C: \Windows\System32\config\SAM. LOG|*
C: Windows\ System32\ config SECURITY. LOG\ *
C: Windows\ System32\ config\ SOFTWARE. LOG| *
C: Windows\ System32\ config SYSTEM. LOG\*
 C:\Documents and Settings |*\ntuser.dat
 C:\Users\ |*\ ntuser. dat
 C: \Users\ \*\ntuser.dat. LOG|*
 C: \ Users\ |*\ AppData\Local\Microsoft\Windows| UsrClass.dat
 C: | Users\|*\ AppData\ Local\Microsoft Windows| UsrClass.dat.LOG|*
 C: \Windows\System32\config\SAM. LOG|*
 C: Windows\ System32\ config SECURITY. LOG\ *
 C: Windows\ System32\ config\ SOFTWARE. LOG| *
 C: Windows\ System32\ config SYSTEM. LOG\*
C: \Windows\System32\config\ SAM
C: \Windows\System32\config\ SECURITY
C: \Windows\System32\config\ SOFTWARE
C: \Windows\System32\config\ SYSTEM
C: \Windows\System32\config\RegBack\\*. LOG|*
C: \Windows\System32\config\RegBack\SAM
C: \Windows\System32\config\RegBack\SECURITY
C: \Windows\System32\config\RegBack\SOFTWARE
C: \Windows\System32\config\RegBack\SYSTEM
Registryives: Path: C: \Windows\System32\config\RegBack\SYSTEMI

Registry is a repository for settings on a Windows machine. Prior to Windows NT, ini files were used. These were substituted with Windows registry to keep initialization and configurations. Some changes are also logged by the registry.