A little while ago I helped get the registry stuff working on images other than XP for
Volatility 1.4. There are some differences in how the paths/names of the hives are stored, that I thought I might go over here.
In XP we have the following structure for a
registry hive:
'_CMHIVE' : [ 0x49c, {
'Hive' : [ 0x0, ['_HHIVE']],
'FileHandles' : [ 0x210, ['array', 3, ['pointer', ['void']]]],
'NotifyList' : [ 0x21c, ['_LIST_ENTRY']],
'HiveList' : [ 0x224, ['_LIST_ENTRY']],
'HiveLock' : [ 0x22c, ['pointer', ['_FAST_MUTEX']]],
'ViewLock' : [ 0x230, ['pointer', ['_FAST_MUTEX']]],
'LRUViewListHead' : [ 0x234, ['_LIST_ENTRY']],
'PinViewListHead' : [ 0x23c, ['_LIST_ENTRY']],
'FileObject' : [ 0x244, ['pointer', ['_FILE_OBJECT']]],
'FileFullPath' : [ 0x248, ['_UNICODE_STRING']],
'FileUserName' : [ 0x250, ['_UNICODE_STRING']],
'MappedViews' : [ 0x258, ['unsigned short']],
'PinnedViews' : [ 0x25a, ['unsigned short']],
'UseCount' : [ 0x25c, ['unsigned long']],
'SecurityCount' : [ 0x260, ['unsigned long']],
'SecurityCacheSize' : [ 0x264, ['unsigned long']],
'SecurityHitHint' : [ 0x268, ['long']],
'SecurityCache' : [ 0x26c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]],
'SecurityHash' : [ 0x270, ['array', 64, ['_LIST_ENTRY']]],
'UnloadEvent' : [ 0x470, ['pointer', ['_KEVENT']]],
'RootKcb' : [ 0x474, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]],
'Frozen' : [ 0x478, ['unsigned char']],
'UnloadWorkItem' : [ 0x47c, ['pointer', ['_WORK_QUEUE_ITEM']]],
'GrowOnlyMode' : [ 0x480, ['unsigned char']],
'GrowOffset' : [ 0x484, ['unsigned long']],
'KcbConvertListHead' : [ 0x488, ['_LIST_ENTRY']],
'KnodeConvertListHead' : [ 0x490, ['_LIST_ENTRY']],
'CellRemapArray' : [ 0x498, ['pointer', ['_CM_CELL_REMAP_BLOCK']]],
} ],
When running the hivelist command from Volatility on an XP or Windows 2003 image, the name of the hive is obtained from the
FileFullPath entry above. This is more of a generic name prefixed with "\Device\HarddiskVolume1". There is also a
FileUserName entry in
_CMHIVE, which may contain the actual path to the hive on disk. Here are a few examples:
************************************************************************
FileFullPath: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
FileUserName: \SystemRoot\System32\Config\SECURITY
************************************************************************
FileFullPath: \Device\HarddiskVolume1\WINDOWS\system32\config\software
FileUserName: \SystemRoot\System32\Config\SOFTWARE
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
FileUserName: \??\C:\Documents and Settings\NetworkService\ntuser.dat
************************************************************************
As I said, we get the same results for
Windows 2003.
Starting with Windows Vista, we have an extra member in
_CMHIVE, named
HiveRootPath which contains another registry name starting either with (\REGISTRY\MACHINE or \REGISTRY\USER). Here we can see output from a modified hivelist plugin, each hive is separated by asterisks:
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\HARDWARE
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
FileUserName: \??\C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
HiveRootPath: \registry\machine\Schema
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE
FileUserName: \SystemRoot\System32\Config\SOFTWARE
HiveRootPath: \REGISTRY\MACHINE\SOFTWARE
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\DEFAULT
FileUserName: \SystemRoot\System32\Config\DEFAULT
HiveRootPath: \REGISTRY\USER\.DEFAULT
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\SAM
FileUserName: \SystemRoot\System32\Config\SAM
HiveRootPath: \REGISTRY\MACHINE\SAM
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\SECURITY
FileUserName: \SystemRoot\System32\Config\SECURITY
HiveRootPath: \REGISTRY\MACHINE\SECURITY
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\COMPONENTS
FileUserName: \SystemRoot\System32\Config\COMPONENTS
HiveRootPath: \REGISTRY\MACHINE\COMPONENTS
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Boot\BCD
FileUserName: \Device\HarddiskVolume1\Boot\BCD
HiveRootPath: \REGISTRY\MACHINE\BCD00000000
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
FileUserName:
HiveRootPath: \REGISTRY\USER\S-1-5-20
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT
FileUserName: \??\C:\Windows\ServiceProfiles\LocalService\ntuser.dat
HiveRootPath: \REGISTRY\USER\S-1-5-19
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Users\user\NTUSER.DAT
FileUserName: \??\C:\Users\user\ntuser.dat
HiveRootPath: \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
FileUserName: \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
HiveRootPath: \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000_Classes
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\SYSTEM
************************************************************************
You can see that there are a couple of registries that only have HiveRootPath populated (\REGISTRY\MACHINE\SYSTEM and \REGISTRY\MACHINE\HARDWARE). \REGISTRY\MACHINE\HARDWARE is a volatile hive that contains hardware information populated during bootup[1], we will explore this key a bit later... We get the same output for all service packs of Vista as well as Windows 2008 (which is closely related to Vista SP1/2).
For Windows 7 we get slightly different results. Even though
FileFullPath is defined in
_CMHIVE for Windows 7, it does not appear to be used at all:
FileFullPath:
FileUserName: \SystemRoot\System32\Config\SECURITY
HiveRootPath: \REGISTRY\MACHINE\SECURITY
************************************************************************
FileFullPath:
FileUserName: \??\C:\System Volume Information\Syscache.hve
HiveRootPath: \REGISTRY\A\{43bcec53-795b-11df-9d3d-000c29bf81c3}
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\SYSTEM
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\HARDWARE
************************************************************************
FileFullPath:
FileUserName: \SystemRoot\System32\Config\DEFAULT
HiveRootPath: \REGISTRY\USER\.DEFAULT
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\USER\S-1-5-20
************************************************************************
FileFullPath:
FileUserName: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
HiveRootPath: \REGISTRY\USER\S-1-5-19
************************************************************************
FileFullPath:
FileUserName: \Device\HarddiskVolume1\Boot\BCD
HiveRootPath: \REGISTRY\MACHINE\BCD00000000
************************************************************************
FileFullPath:
FileUserName: \SystemRoot\System32\Config\SOFTWARE
HiveRootPath: \REGISTRY\MACHINE\SOFTWARE
************************************************************************
FileFullPath:
FileUserName: \??\C:\Users\user\ntuser.dat
HiveRootPath: \Registry\User\S-1-5-21-1665533257-296859758-874228692-1000
************************************************************************
FileFullPath:
FileUserName: \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
HiveRootPath: \Registry\User\S-1-5-21-1665533257-296859758-874228692-1000_Classes
************************************************************************
FileFullPath:
FileUserName: \SystemRoot\System32\Config\SAM
HiveRootPath: \REGISTRY\MACHINE\SAM
************************************************************************
Therefore in Windows 7 output of hivelist, you will see
FileUserName paths when they are defined or
HiveRootPath paths if they are not:
Virtual Physical Name
0x963e39d0 0x1d41a9d0 \SystemRoot\System32\Config\SECURITY
0xa057a7a8 0x3518e7a8 \??\C:\System Volume Information\Syscache.hve
0x82ba6140 0x02ba6140 [no name]
0x87a0c008 0x28027008 [no name]
0x87a1c008 0x27fb5008 \REGISTRY\MACHINE\SYSTEM
0x87a429d0 0x27f9d9d0 \REGISTRY\MACHINE\HARDWARE
0x87abc898 0x1fd97898 \SystemRoot\System32\Config\DEFAULT
0x8849e008 0x27dc0008 \REGISTRY\USER\S-1-5-20
0x88521008 0x1be07008 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x8bb309d0 0x25bac9d0 \Device\HarddiskVolume1\Boot\BCD
0x8bb328d8 0x25bb58d8 \SystemRoot\System32\Config\SOFTWARE
0x91a9a9d0 0x1787c9d0 \??\C:\Users\user\ntuser.dat
0x91f2d9d0 0x13b949d0 \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
0x963bf008 0x1fa36008 \SystemRoot\System32\Config\SAM
Getting Registry Paths from the SYSTEM RegistryYou can also obtain a list of registry files were loaded by the system by checking the "SYSTEM\CurrentControlSet\Control\Hivelist" key[1]:
$ python vol.py -f VistaSP2x86.dmp --profile=VistaSP2x86 printkey -K 'controlset001\control\hivelist'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: hivelist (V)
Last updated: 2010-11-30 18:05:20
Subkeys:
Values:
REG_SZ \REGISTRY\MACHINE\HARDWARE : (V)
REG_SZ \REGISTRY\MACHINE\SECURITY : (V) \Device\HarddiskVolume1\Windows\System32\config\SECURITY
REG_SZ \REGISTRY\MACHINE\SOFTWARE : (V) \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE
REG_SZ \REGISTRY\MACHINE\SYSTEM : (V) \Device\HarddiskVolume1\Windows\System32\config\SYSTEM
REG_SZ \REGISTRY\USER\.DEFAULT : (V) \Device\HarddiskVolume1\Windows\System32\config\DEFAULT
REG_SZ \REGISTRY\MACHINE\SAM : (V) \Device\HarddiskVolume1\Windows\System32\config\SAM
REG_SZ \REGISTRY\MACHINE\COMPONENTS : (V) \Device\HarddiskVolume1\Windows\System32\config\COMPONENTS
REG_SZ \REGISTRY\MACHINE\BCD00000000 : (V) \Device\HarddiskVolume1\Boot\BCD
REG_SZ \REGISTRY\USER\S-1-5-20 : (V) \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
REG_SZ \REGISTRY\USER\S-1-5-19 : (V) \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT
REG_SZ \registry\machine\Schema : (V) \Device\HarddiskVolume1\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
REG_SZ \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000 : (V) \Device\HarddiskVolume1\Users\user\NTUSER.DAT
REG_SZ \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000_Classes : (V) \Device\HarddiskVolume1\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
References[1] Mark Russinovich, David Solomon and Alex Ionescu
Windows Internals 5th Edition[2] Moyix,
Enumerating Registry Hives