Windows Registry Forensics: Key Artifacts for Incident Response

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The Windows Registry was not designed as a forensic artifact: it stores operational data for Windows and applications. But the side effect of this operational data is a detailed record of user activity, program execution, file access, USB connections, and network history that incident responders can extract and analyze.
Key hive files and their locations:
NTUSER.DAT: per-user hive (C:\Users[username]\NTUSER.DAT): user activity artifactsSYSTEM: system configuration (C:\Windows\System32\config\SYSTEM): hardware, servicesSOFTWARE: installed software (C:\Windows\System32\config\SOFTWARE): application dataSAM: local account database (C:\Windows\System32\config\SAM)SECURITY: security policy and cached credentials (C:\Windows\System32\config\SECURITY)
Execution History Artifacts
UserAssist: GUI program execution history:
UserAssist records every program run from the GUI (not command line) with ROT13-encoded executable paths and timestamps.
Registry path: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Decoded entries show: [executable path] → last run time, run count
ROT13 decoding: A→N, B→O, etc. (e.g., HRZR_EHAYBT = UEME_RUNLOG prefix for many entries)
Forensic value:
- Proves user ran a specific application (even if deleted)
- Timestamp is the LAST run time
- Run count shows how many times it was executed via GUI
Extract UserAssist with Registry Explorer (Eric Zimmerman):
# Copy NTUSER.DAT from a live system:
reg save HKCU C:\Temp\NTUSER.DAT
# Or copy directly from the profile during offline analysis
# Open in Registry Explorer:
# RegistryExplorer.exe
# File > Open hive > NTUSER.DAT
# Navigate to: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
# The UI automatically ROT13-decodes the entries and formats timestamps
ShimCache (AppCompatCache): execution metadata:
ShimCache records metadata for any executable that touched the file system: including programs that ran before the investigator arrived and programs that were deleted. Critical: ShimCache records presence and some timestamp data but NOT execution count: presence proves the file existed, combined with other evidence to infer execution.
# Extract ShimCache from a live system:
$AppCompat = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache"
$AppCompatCache = (Get-ItemProperty -Path $AppCompat -Name AppCompatCache).AppCompatCache
# Raw binary: needs parsing with RegRipper or AppCompatCacheParser
# Use AppCompatCacheParser (Eric Zimmerman):
AppCompatCacheParser.exe -f C:\Temp\SYSTEM --csv C:\Temp\Output --csvf shimcache.csv
# Output CSV: path, modified time, shimcache timestamp, executed flag
# Look for: malware paths in %TEMP%, %APPDATA%, C:\Users\Public\
# Even if the file was deleted, its path persists in ShimCache
AmCache.hve: SHA1 hash and first execution:
# AmCache is a separate hive file, not part of the main hives
# Location: C:\Windows\AppCompat\Programs\Amcache.hve
# Copy during live response:
reg load HKLM\AmCache C:\Windows\AppCompat\Programs\Amcache.hve
reg save HKLM\AmCache C:\Temp\Amcache.hve
reg unload HKLM\AmCache
# Parse with AmcacheParser (Eric Zimmerman):
AmcacheParser.exe -f C:\Temp\Amcache.hve --csv C:\Temp\Output --csvf amcache.csv
# Key output fields:
# KeyLastWriteTimestamp: first time Amcache recorded the entry (close to first execution)
# SHA1: hash of the executable: match against threat intel
# FullPath: where the executable was when first recorded
# Name: executable name
Persistence Key Artifacts
Run and RunOnce keys: startup persistence:
# Common persistence locations:
$persistenceKeys = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SYSTEM\CurrentControlSet\Services" # Service-based persistence
)
foreach ($key in $persistenceKeys) {
Write-Host "=== $key ==="
Get-ItemProperty -Path $key -ErrorAction SilentlyContinue |
Get-Member -MemberType NoteProperty |
Where-Object { $_.Name -ne 'PSPath' -and $_.Name -ne 'PSParentPath'
-and $_.Name -ne 'PSChildName' -and $_.Name -ne 'PSDrive'
-and $_.Name -ne 'PSProvider' } |
ForEach-Object {
$name = $_.Name
$value = (Get-ItemProperty -Path $key).$name
Write-Host " $name = $value"
}
}
WMI subscription persistence:
# WMI Event Subscriptions survive reboots and do not appear in standard Run key checks
Get-WMIObject -Namespace "root\subscription" -Class __EventFilter |
Select-Object Name, Query, QueryLanguage
Get-WMIObject -Namespace "root\subscription" -Class __EventConsumer |
Select-Object Name, CommandLineTemplate, ScriptFileName
Get-WMIObject -Namespace "root\subscription" -Class __FilterToConsumerBinding |
Select-Object Filter, Consumer
# Any suspicious WMI subscription: investigate Name and CommandLineTemplate
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
User Activity and File Access Artifacts
RecentDocs: recently opened files (per extension):
Registry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Sub-keys organized by extension:
HKCU\...\RecentDocs\.docx: recently opened Word docs
HKCU\...\RecentDocs\.pdf: recently opened PDFs
HKCU\...\RecentDocs\Folder: recently opened folders
Forensic value: proves user (or attacker using that user's session)
opened specific files, including by extension type
Shellbags: folder navigation history:
Shellbags record every folder the user has browsed: including folders on external drives, network shares, and even folders that have been deleted.
Registry paths:
HKCU\Software\Microsoft\Windows\Shell\Bags
HKCU\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Forensic value:
- Proves folders were browsed: including content of deleted directories
- USB drive contents (volume GUID recorded): proves specific USB was browsed
- Network share paths accessed (\\server\share format)
- Timestamps: first and last interaction
# Parse with ShellBagsExplorer (Eric Zimmerman):
ShellBagsExplorer.exe
# Open USRCLASS.DAT (C:\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.dat)
# Reveals complete folder browsing history including deleted paths
USB device history:
# All USB devices ever connected to this machine:
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*' |
Select-Object FriendlyName, DeviceDesc, Mfg,
@{N='SerialNumber'; E={ ($_.PSChildName -split '\\')[-1] }}
# Cross-reference with Setupapi.dev.log for first install timestamps:
Get-Content "C:\Windows\INF\setupapi.dev.log" |
Select-String -Pattern 'USBSTOR' -Context 0,2
# Shows: first-time device connection timestamp
# Map serial number to drive letter assignment:
Get-ItemProperty -Path 'HKLM:\SYSTEM\MountedDevices' |
Get-Member -MemberType NoteProperty |
Where-Object { $_.Name -like '*DosDevices*' }
RegRipper Batch Analysis
RegRipper is the standard tool for automated registry forensic artifact extraction: it runs plugins that extract and format specific artifact categories.
# Install RegRipper:
git clone https://github.com/keydet89/RegRipper3.0
cd RegRipper3.0
# Run all plugins against a SYSTEM hive:
perl rip.pl -r /evidence/SYSTEM -f system > system_report.txt
# Run all plugins against NTUSER.DAT:
perl rip.pl -r /evidence/NTUSER.DAT -f ntuser > ntuser_report.txt
# Run a specific plugin (userassist):
perl rip.pl -r /evidence/NTUSER.DAT -p userassist > userassist.txt
# Key RegRipper plugins and what they extract:
# userassist → UserAssist execution history (decoded)
# shimcache → AppCompatCache entries
# run → HKLM and HKCU Run/RunOnce keys
# recentdocs → RecentDocs file access history
# mru → Multiple MRU artifact types
# usbstor → USB device connection history
# networklist → Previously connected network names/GUIDs
# lastlogon → Last logon time for local accounts
# winsearch → Windows Search typed terms
The bottom line
Windows Registry forensic artifacts provide execution evidence (UserAssist records GUI program runs with count and timestamp, ShimCache records any executable that touched the file system, AmCache records SHA1 hash and first execution), persistence evidence (Run/RunOnce keys, WMI subscriptions), and user activity evidence (RecentDocs, Shellbags with deleted folder history, USB device serial numbers). Collect hive files from live systems with reg save or from disk images; parse with RegRipper for automated extraction or Eric Zimmerman's Registry Explorer for interactive analysis.
Frequently asked questions
What are the most important Windows Registry forensic artifacts?
For execution history: UserAssist (HKCU\...\Explorer\UserAssist: GUI program runs with timestamps), ShimCache/AppCompatCache (HKLM\SYSTEM\...\AppCompatCache: any executable that touched the file system), AmCache (C:\Windows\AppCompat\Programs\Amcache.hve: SHA1 hash and first execution). For persistence: Run/RunOnce keys and WMI subscriptions. For user activity: RecentDocs, Shellbags (folder browsing including deleted directories), and USBSTOR keys (all USB devices ever connected).
How do you collect Windows registry hive files for forensic analysis?
From a live system: use `reg save HKLM\SYSTEM C:\Temp\SYSTEM` and `reg save HKCU C:\Temp\NTUSER.DAT` for the main hives (requires admin privileges). AmCache requires loading the hive first: `reg load HKLM\AmCache C:\Windows\AppCompat\Programs\Amcache.hve` then `reg save HKLM\AmCache C:\Temp\Amcache.hve`. From a disk image, use Autopsy, FTK, or direct file extraction: the hive files are not locked when accessed from an image.
What Windows registry forensic artifacts show attacker persistence?
Registry persistence locations to check in any Windows forensic investigation: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce (user-level auto-start executables); HKLM\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce (system-level auto-start); HKLM\SYSTEM\CurrentControlSet\Services (installed services — compare against a known-good baseline); HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (shell replacement persistence); HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (debugger hijacking for persistence or defense evasion); and the scheduled tasks registry representation at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks.
How do I parse Windows registry hives without a forensic workstation?
Eric Zimmerman's Registry Explorer (free) is the most capable standalone Windows registry forensic tool: it parses live and offline hives, supports bookmarks for common forensic locations, and has a transaction log processing feature for recovering recent changes. For command-line analysis, RECmd.exe (also from Eric Zimmerman) runs pre-built registry batch maps (BatchExamples on GitHub) that automatically extract all forensically relevant artifacts to CSV. For Python-based analysis, the python-registry library parses hive files and the regipy library supports both live and offline hives. All tools are available free from ericzimmerman.github.io.
What is the Windows registry MRU (Most Recently Used) list and what does it reveal?
Most Recently Used (MRU) lists track recently opened files, executed commands, and accessed network locations. Forensically significant MRU locations: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs (recently opened files per extension); HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU (commands typed in Run dialog); HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths (paths typed in Explorer address bar); HKCU\SOFTWARE\Microsoft\Office\{version}\Word\File MRU (recently opened Office documents per application). In an investigation, MRU lists can reveal which files an attacker accessed, which shares they connected to, and which tools they ran — even if those files were later deleted.
How do you interpret conflicting timestamps between NTFS $MFT, ShimCache, and Prefetch to establish a reliable execution timeline during IR?
Each artifact records timestamps from different sources and with different update semantics, so conflicts are common. The $MFT stores four timestamps per file (Created, Modified, Accessed, $MFI Changed) in two attribute sets ($STANDARD_INFORMATION and $FILE_NAME): attackers commonly manipulate $STANDARD_INFORMATION timestamps via timestomping tools, but $FILE_NAME timestamps are harder to manipulate and often reflect true file system activity. ShimCache entries record the last modification time of the executable at the time it was added to the cache and do not update on subsequent runs, making them useful for determining when a file was first present on the system rather than when it last ran. Prefetch records the last execution time and up to eight previous execution times, making it the most reliable artifact for proving execution at a specific moment. When the three sources conflict: trust Prefetch timestamps for execution timing, trust $FILE_NAME timestamps for file creation and placement timing, and treat $STANDARD_INFORMATION timestamps as potentially manipulated if they differ from the $FILE_NAME timestamps by more than a few seconds.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
