The Windows Registry: Part 2 – Extracting the Registry Hives


The Windows Registry is a hierarchical database within which Windows stores system, hardware, software, and user settings and configurations. Since it is the central repository of such information, a proper understanding of the Registry is essential for a forensics investigator analyzing a Windows machine.

This module continues our three part discussion on Registry Analysis. In this module we discuss how to find and extract the Registry hives from both a live and dead system. This is done using AccessData’s FTK Imager tool, which we introduce here as well. There is also brief discussion on another AccessData tool, Registry Viewer.


By: Moshe Caplan

Use FTK Imager to obtain a copy of the Registry Hives on your machine, open them with Registry Viewer, and find the keys / values below

Note 1: This challenge is similar to the challenge from the Registry Intro Module
Note 2: The paths are from a Windows 7 machine.

1. What is your computer's name?
Hint: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
2. What timezone are you in?
Hint: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
2. What are some programs started when your machine is booted?
Hint: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. What are some applications installed on your computer?
Hint: HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
4. What USB devices have been plugged into your computer?

Further information on this module can be found at the following:

You must Sign-In to post a comment.