CIS-24 Home http://www.c-jump.com/CIS24/CIS24syllabus.htm
The mother of all initialization files...
Critical to the operation of a Windows system
Contents includes
System and application configuration
System hardware
User names, account information, and settings
Browser preferences, settings, and history
Object use; e.g., programs executed, files opened, etc.
Passwords
Located in
C:\WINDOWS\
SYSTEM.INI -- Defined system hardware, 16-bit drivers
WIN.INI -- Defined Windows environment, desktop, and applications
Individual applications had their own .INI files which were pointed to from WIN.INI
REG.DAT -- Stored information about Object Linking and Embedding (OLE)
Multitude of applications and .INI files caused WIN.INI to become huge!
System performance suffered
Windows itself became unstable
Other .INI problems:
Lack of standard format
Limits on size
No network support
No standard location
Windows 9x/NT 3.5 introduced registry files:
C:\WINDOWS\
SYSTEM.DAT -- System settings, protected storage area for all users, and settings for installed programs
USER.DAT -- User-specific settings, user profile, Most Recently Used (MRU) file list
CLASSES.DAT -- Program associations, context menus, and file types (WinME only)
A registry backup is created after the system is booted:
Win95: SYSTEM.DAO, USER.DAO
Win98/ME: RBxxx.CAB
Each user on the system has his/her own profile
There may be multiple USER.DAT files, and they will be different
If all users of the computer use a single user name, all of the individual usage patterns will be co-mingled in a single USER.DAT file
On Win9x, the Default User USER.DAT file is the template for all new user profiles
Adapted from the Microsoft Computer Dictionary, 5/e:
..registry. n. A central hierarchical database in Windows 9X, CE, ME, NT, 2000, and XP used to store information necessary to configure the system for one or more users, applications, and hardware devices. The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and which ports are being used. The registry replaces most of the text-based .ini files used in Windows 3.x and MS-DOS configuration files, such as AUTOEXEC.BAT and CONFIG.SYS. Although the Registry is common to the several Windows platforms, there are some differences among them.
Registry includes two kinds of information:
System-wide: Hardware and software settings; generally applies to all users
User-specific: An individual user profile
Protected storage area often holds important user information, such as
Stored Internet usernames and passwords
E-mail passwords
Internet history (e.g., sites visited and search queries)
Registry is divided into six logical sections, each known as a Hive Key (HKEY)
HKEYs are recursively divided into subkeys and use a syntax similar to Windows path names
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
Registry Logical organization:
Inverted tree with a single root
Six branches identified by keys; e.g., HKEY_LOCAL_MACHINE
Subkeys hold other subkeys or values.
Physical structure
Differs significantly from the logical organization
Registry is stored in five files called hives
HKEY_PERFORMANCE_DATA does not use a hive
Hives are stored in
%SystemRoot%\system32\config
The hives stored in
C:WINDOWS\system32\config
correspond to the following file names (no extensions used):
DEFAULT -- System settings, HKU\.DEFAULT
SAM -- Security Account Manager database, contains user account and security settings, HKLM\SAM
SECURITY -- System security settings, HKLM\SECURITY
SOFTWARE -- All installed programs and associated settings, HKLM\SOFTWARE
SYSTEM -- System settings, HKLM\SYSTEM
userdiff -- Present only to upgrade existing users from a previous version of WinNT...
(userdiff is not really part of any hive.)
The HKEY_USERS hive is stored in
C:Documents and Settings\username
NTUSER.DAT
and
\Local Settings\Application Data\Microsoft\Windows\
USERCLASS.DAT
HKEY_CLASSES_ROOT (HKCR)
Stores information about registered applications, file associations, and OLE object classes
HKEY_CURRENT_CONFIG (HKCC)
Contains system information gathered at boot time; temporarily stored while computer is running
HKEY_CURRENT_USER (HKCU)
Stores settings pertinent to the user currently logged on; mirrors the current user's HKU subkeys
HKEY_LOCAL_MACHINE (HKLM)
Stores hardware settings and configuration information common to all users
HKEY_USERS (HKU)
Contains user profiles for all registered users on the system
Binary value REG_BINARY [0x3]
Raw 0s and 1s; generally displayed in hex
Numeric value REG_DWORD [0x4]
32-bit (4-byte, or double word) numeric value
String values:
Single, fixed-length string REG_SZ [0x1]
Multiple strings REG_MULTI_SZ [0x7] contain lists of values delimited by spaces or commas
Variable-length strings REG_EXPAND_SZ [0x2]
REG_DWORD_LITTLE_ENDIAN
32-bit number in little-endian format (low-order byte first)
REG_DWORD_BIG_ENDIAN
32-bit number in big-endian format (high-order byte first)
REG_LINK
Unicode symbolic link; used internally by the OS and not by applications
REG_NONE
No defined value type.
REG_QWORD
64-bit (8-byte or quad word) number
REG_QWORD_LITTLE_ENDIAN
64-bit number in little-endian format
REG_RESOURCE_LIST
Device-driver resource list
File NTUSER.DAT contains
Protected storage area for user, MRU files, user preference settings
Each user has individual profile, found in
\Documents and Settings\user
Permanent registry files are
DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM, userdiff,
found in
%SystemRoot%\System32\Config\
where %SystemRoot% translates as --
-- on WinNT 4.0 and Win 2000:
\winnt\
-- on WinXP and 2003:
\Windows\
Windows 2000 had two registry editors.
Windows XP has now a single registry editor: Regedit.exe
Microsoft's native registry viewer/editor is either regedit, or regedt32...
...These used to be two different programs but with Windows XP,
these programs are now the same.
Run either program by:
Start -> Run, and type regedit or
Start -> Run, and type regedt32
Be very careful not to write data unless you intend to make changes!
And if you make changes, be sure to save changes!
One of the reasons for editing the registry:
Remove entries remaining after application uninstalled
Example editing the registry to change name of Recycle Bin:
Open the Registry Editor
Locate subkey for Recyle Bin (under HKCU)
HKEY_CURRENT_USER
SOFTWARE
MICROSOFT
CURRENT VERSION
EXPLORER
CLSID
645FF...F954E
Default Icon
Value: REG_SZ (Value not set)
Change to Trash Can
Export current key to Desktop for backup purposes
Double-click Default, then the name of the value,
Enter a new name, such as "Trash Can"
HKLM stores hardware settings and configuration information common to all users
A SID is a unique name (an alphanumeric character string) that identifies each
operating system,
user,
user group, and
object in a network
of Windows NT/2000/XP/2003 systems.
Windows grants or denies access and privileges to resources based on access control lists (ACLs).
When a user requests access to a resource, the user's SID is checked by the ACL to determine if that user is allowed to
perform that action, or
if that user is part of a group that is allowed to perform that action.
S-1-5-11 -- Well-known SID for the Authenticated Users security group.
The string self-identifies as a SID because it starts with an S, has a revision level of 1, and an identifier authority value of 5 (NT).
S-1-5-32-549 -- Well-known SID for the built-in Server Operators security group.
The S-1-5 is as above, with a domain identifier of 32 and a predefined RID of 549.
S-1-5-21-770366253-3460018376-311458404-1005:
The S-1-5 is as above.
The domain identifier is the four-part value that follows.
RID value of 1005 specifies a particular user.
See Microsoft Knowledge Base for a list of well known SIDs.
On Windows NT/2000/XP/2003 systems that are part of a larger domain, SIDs can be found in the SAM database:
HKLM\SAM\Domains\Accounts\Aliases\Members
HKLM\SAM\Domains\Users
But SIDs can also be found in other places, particularly in group memberships...
HKU contains user profiles for all registered users on the system.
|
|
|
To find the least and most recently used files on a system
Windows 9x/ME
Search USER.DAT for MRU, LRU, or Recent
Windows NT/2000
Search NTUSER DAT for MRU, LRU, or Recent
Windows XP/2003
Search
HKU\sid\Software\Microsoft\Windows\CurrentVersion\Explorer
for the file extension of interest.
File names will be listed even if the file no longer exists on the system.
Note Little-endian Unicode!
Choices:
|
|
Backing up individual keys in the registry:
Open the registry editor
Select desired key
Export the key to a desired location
Many freeware or low-cost third-party registry viewer/editor programs exist.
Usually have some features beyond regedit.
Resplendence Registry Manager
Notably useful for computer forensics, because it can open any NTUSER.DAT or .REG file.
Before you begin, copy NTUSER.DAT from target system onto "forensics box".
Run program and File -> Import the .DAT or .REG file
See for details.
Computer History Viewer (CHV) primarily finds information about Internet Explorer browser, but also finds some information from the registry:
Recently opened documents
Programs executed from
START -> Run
START -> Recently opened and saved files
Displays most recently and frequently used programs and files from the hive
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\
See also: on internet-disk-cleaner.com.
New topics: swap file and virtual memory.
Windows is a virtual memory operating system
32-bit processor can address 4 GB of memory even though it has only 256 KB to 1 GB of physical RAM.
The swap or page file is the virtual RAM file on the HDD...
...This is where the data blocks are stored when they have been moved out of the RAM.
|
|
|
|
|
|
VMM is an interface between software and physical/virtual memory.
VMM provides a set of memory addresses to each program.
Memory is allocated in 4KB segments (pages).
Pages are stored in RAM or swap file on the hard drive.
Some guidelines for managing memory:
If drive space is limited, limit maximum size of page file.
If RAM space is limited, expand page file size to 4 GB.
Spread page file over several physical devices.
Do not completely eliminate virtual memory!
When a Windows system is put into hibernation mode, the contents of RAM is stored on the HDD
c:\hiberfil.sys
Program data is loaded into virtual memory in units called pages.
As the program grows larger than memory, the oldest pages are swapped out into
c:\pagefile.sys
Swapped pages can be used later if the program is still executing and needs that memory again.
pagefile.sys is a system, hidden file, located on the system root directory.
Most system and user applications create temporary files.
Most are supposed to be "deleted" when they are no longer needed, but this is not always the case...
Look for directories named temp:
\Documents and Settings\user\Local Settings\Temp
\Documents and Settings\user\Application Data\...\Temp
Many other locations on disk may also exist, e.g. in application directories.