The Windows Registry and the C:\Windows\Installer Folder

In the spring of 1992, Microsoft released Windows 3.10, the new heir of the Windows dynasty. In this Windows release was a new registration database, this database was created to manage Dynamic Data Exchange (DDE) and Object-Linking-and-Embedding (OLE). The name of this database file was REG.DAT.

To access this new database, a user would open the Program Manager, select File, choose Run, and then type in “REGEDIT.” A whole new world emerged and this new Registry Editor allowed Windows users the world over to define DDE and OLE and then later NETDDE relationships. All of these changes were stored in this new database affectionately called The Registry.

At the time of the Windows 3.10 release, Microsoft was working fast and furious on another operating system (OS), the product to be released in the summer of 1993 was called Windows NT and Windows NT Advanced Server. This new OS greatly enlarged and enhanced the registry database. This database was now comprised of many components and designed to be modular, easily modified, and sustained by both Microsoft and other vendors.

This new version of Windows NT would run on a 32-bit platform, surpassing the limitations found in Windows 3.10. To support previous 16-bit Windows versions, Microsoft created a special folder in this database, this folder being called a HIVE or HKEY. The HKEY_CLASSES_ROOT folder contains file name extension associations as well as COM class registration information and the initial focus of this folder was compatibility with the 16-bit Windows registry and to support the data found in the REG.DAT file.

Why do you care? What does this mean? How does this help you in your forensic investigations?

Why you care is that Microsoft has provided a wealth of information, artifacts—relics from the past in this central repository called The Registry.

What this means is that since 1991 Microsoft has taken great care—great care to preserve a history of activities going back to the days of MS-DOS, Windows 3.1x, and Windows for Workgroups 3.11. In addition, Microsoft has collected, stored, and retained data from all versions of Windows NT as well as the hey-days of Win95-98-ME versions too.

How this helps you is knowing that there is data, lots of data—artifacts found in the Operating System support files, Windows folder and sub-folders, and the Registry file. Collectively all of these components allow examiners to find evidence creating a digital history, connections, or a legal position.

The ever-evolving operating systems from Microsoft became very dependent on the Registry database and the original design of modularity was eventually deemed a bad design. Microsoft realized that software vendors were not too smart when it came to installation rules, version continuity, and basic-installation support. As Windows NT was fading and Windows 9x versions were being rapidly phased out, Microsoft released Windows 2000. With this fresh Windows release came a shiny new toy, or tool, Windows Installer, this tool was to assist in the installation process of all Microsoft Windows OS and applications and could be extended to applications from other vendors.

The Windows Installer was the new tool to help with Windows 2000 installation and deployment and also help with installing and managing other applications. The Windows Installer was to be the cure all for product installations—a tool to manage an application’s:

• Installation process and deployment
• Modifications and changes
• Upgrades and patches
• Removal from the system
• Customizable installations and configurations
• Manage shared resources
• Enforce consistent file version rules
• Diagnose and repair applications at runtime¹

The Windows Installer maintains a list of installation source code or details in its database. This database information could include icons, shortcuts, network links, program files, install files, source locations, and more. Most, if not all of the data is then passed on and recorded in various locations in the Windows Registry. So much so that it is very difficult to remove evidence from every HKEY or sub-Hive location in the Registry. (This data can potentially be found in System Restore Points as well.)

When you install an application using Windows Installer, those Windows Installer applications try to return to the path they were installed from when they need to install new components, repair the application, or update the application.²

The specific HKEY data is usually found in one or more of the following Registry Keys:

HKEY_CLASSES_ROOT\Installer
HKEY_CLASSES_ROOT\Installer\Assemblies
HKEY_CLASSES_ROOT\Installer\Components
HKEY_CLASSES_ROOT\Installer\Features
HKEY_CLASSES_ROOT\Installer\Patches
HKEY_CLASSES_ROOT\Installer\Products
HKEY_CLASSES_ROOT\Installer\UpgradeCodes
HKEY_CLASSES_ROOT\Installer\Win32Assemblies

HKEY_CURRENT_USER\Software\Microsoft\Installer
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features
HKEY_CURRENT_USER\Software\Microsoft\Installer\ Products
HKEY_CURRENT_USER\Software\Microsoft\Installer\ UpgradeCodes

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
Assemblies
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
Components
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
Features
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
Patches
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
Products
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
UpgradeCodes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\
Win32Assemblies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Installer\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Installer\Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Installer\Secure
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Installer\UpgradeCodes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Installer\UserData

HKEY_USERS\S-1-5-21-3000313604-4197361410-2619668869-1000\Software\Microsoft\Installer
HKEY_USERS\S-1-5-21-3000313604-4197361410-2619668869-1000\Software\Microsoft\Installer\Features
HKEY_USERS\S-1-5-21-3000313604-4197361410-2619668869-1000\Software\Microsoft\Installer\Products
HKEY_USERS\S-1-5-21-3000313604-4197361410-2619668869-1000\Software\Microsoft\Installer\UpgradeCodes

Again, this means that as a forensic examiner you can search the Registry for installed applications. Please note the number of possible Registry entries. Even the most skilled programmer will have difficulties covering all of the notations Microsoft makes when installing a tool. And it is easy to install and insert applications, but removing all remnants from the Registry is very difficult and often not done. That’s right, many applications are still listed in the Registry even though they have been removed via the Control Panel or another method. And if it is in one Registry entry it could be in another.

IT GETS BETTER!!! In addition, many software applications log changes in the Microsoft Event Viewer—typically the Application Logs. An example might look like this:

Ending a Windows Installer transaction: C:\Users\H-11User03\AppData\LocalLow\Sun\Java\AU\au.msi. Client Process Id: 6396.

So, contrary to what you may have heard or read from Microsoft, the Windows operating systems are too large and come from so many programming contributors that it is impossible to remove all of the code that retains these forensic artifacts. This article has listed just few locations: the C:\Windows\Installer folder, Event Logs, and the Registry HIVES as listed above in the Registry Database.

Thank you Microsoft for collecting and storing this metadata and other evidentiary data. These artifacts are most helpful in digital forensics investigations and examinations. We will look at different Windows Registry entries to learn where to mine for these artifacts and find success in our investigations and examinations.

References

1. http://technet.microsoft.com/en-us/library/bb742606.aspx#EOAA
2. http://technet.microsoft.com/en-us/library/bb892810.aspx

Jon R. Hansen is the Vice-President for H-11 Digital Forensics. Jon is a computer specialist with over thirty years of experience in computer technologies, including, digital computer forensics, large-scale deployment, and training on various computer hardware and software platforms.