Windows Registry Forensics: Investigating a Malware Compromise -Part 1

THREAT RESEARCH

Waqas Qureshi

3/21/20253 min read

The Windows Registry serves as a crucial forensic artifact when investigating a malware infection. Malware frequently modifies the Registry to establish persistence, execute malicious payloads, hide its presence, or collect information from the system. A thorough Registry analysis after a successful malware compromise can provide forensic investigators with key insights into the attack timeline, persistence mechanisms, execution history, and network activities.

This blog post details essential areas within the Windows Registry that should be examined post-compromise. By analyzing these Registry locations, investigators can reconstruct the attack, track lateral movement, and uncover signs of data exfiltration.

Core Registry Hives for Malware Investigation

The Windows Registry is structured into several hives, each containing different types of system and user data. The most relevant for forensic analysis include:

  • HKEY_LOCAL_MACHINE (HKLM): Stores system-wide settings and configurations.

  • HKEY_CURRENT_USER (HKCU): Contains user-specific settings, including execution history and auto-start entries.

  • HKEY_USERS (HKU): Holds data for all user profiles on the system.

  • HKEY_CLASSES_ROOT (HKCR): Manages file associations and application interactions.

  • HKEY_CURRENT_CONFIG (HKCC): Stores hardware profile settings.

Each of these hives may contain traces of malicious activities, with HKLM and HKCU being the most commonly modified by malware.

Key Registry Areas for Forensic Analysis
Persistence Mechanisms
Malware often modifies Registry keys to maintain persistence across reboots. The following keys should be scrutinized:
Startup Entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Winlogon Hijacking:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Image File Execution Options (IFEO) Hijacking:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Scheduled Tasks:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

Execution Artifacts

To track executed malware and user activity, forensic investigators should examine:

UserAssist (GUI Application Execution History:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Recent File and Folder Access

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

Prefetch Files (Tracks Program Execution)

  • C:\Windows\Prefetch\

Although not a Registry key, Prefetch files help determine the first and last execution time of an executable.

Network and Remote Access Traces

Investigating network activity is essential to detect Command and Control (C2) communications:

RDP Connections:

  • HKCU\Software\Microsoft\Terminal Server Client\Default

Logs IP addresses of recently accessed remote machines.

Network Adapters & Proxy Settings:

  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

It can reveal changes made by malware to proxy configurations for redirecting traffic.

USB and External Device Activity

If data exfiltration is suspected, USB device history should be examined:

USB Device History:

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Lists all USB storage devices ever connected to the machine.

Mounted Devices:

  • HKLM\SYSTEM\MountedDevices

Tracks storage devices, including external hard drives.

Credential Dumping and Security Settings

Malware may attempt to steal credentials by tampering with the following keys:

LSASS Protection Bypass (Used by Mimikatz & Other Tools):

  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL

Stored Credentials in Windows Vault:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Vault

SAM Hive (Contains User Password Hashes, Requires SYSTEM Privileges)

  • HKLM\SAM

Offline analysis can be performed using tools like Mimikatz or secretsdump.py.

Forensic Correlation and Timeline Analysis

To reconstruct an attack timeline, investigators should correlate:

  • Registry key timestamps with Prefetch files and Event Logs.

  • USB device insertions with data transfer times.

  • Execution artifacts with file system modifications.

Windows Registry analysis is an essential component of forensic investigations after a malware compromise. By examining persistence mechanisms, execution traces, network configurations, and credential artifacts, analysts can determine how malware infiltrated the system, maintained access, and potentially exfiltrated data.

A structured approach—analyzing HKCU for user activity, HKLM for system-wide changes, SYSTEM for network and USB artifacts, and SAM for credential theft—ensures a comprehensive investigation. Coupled with forensic tools and timeline correlation, Registry forensics provides invaluable insights into attack patterns and mitigation strategies.

Analysts can enhance the efficiency of Registry analysis and detection of suspicious modifications by utilizing tools like FTK Imager, KAPE, RegRipper, Autoruns, and Volatility. Moreover, correlating artifacts from the Registry with event logs and memory analysis offers a comprehensive understanding of malware behavior. By grasping these critical areas, digital forensic professionals can detect, analyze, and respond to malware incidents more effectively, ultimately strengthening overall cybersecurity defenses.

Join me for Part 2, where we will automate the extraction of forensic registry locations and streamline the collection process using a PowerShell script.