Access the room: https://tryhackme.com/room/registry-forensics-aoc2025-h6k9j2l5p8
.png)
TBFC is under attack. Systems are exhibiting weird behavior, and the company is now feeling the absence of its lead defender, McSkidy. However, McSkidy made sure the legacy continues.
McSkidy’s team, determined and well-trained, is fully confident in securing all the systems and regaining control before the big event, SOCMAS.
They have now decided to conduct a detailed forensic analysis on one of the most critical systems of TBFC, dispatch-srv01. The dispatch-srv01 coordinates the drone-based gifts delivery during SOCMAS. However, recently it was compromised by King Malhare’s bandits of bunnies.
TBFC’s defenders have decided to split into specialized teams to uncover the attack on this system through detailed forensics. While some of the other team members investigate logs, memory dumps, file systems, and other artefacts, you will work to investigate the registry of this compromised system.
Learning Objectives
- Understand what the Windows Registry is and what it contains.
- Dive deep into Registry Hives and Root Keys.
- Analyze Registry Hives through the built-in Registry Editor tool.
- Learn Registry Forensics and investigate through the Registry Explorer tool.
Windows Registry
Windows OS is not a human, but it also needs a brain to store all its configurations. This brain is known as the Windows Registry. The registry contains all the information that the Windows OS needs for its functioning.
Your brain stores all the information that you need to function effectively. This includes:
- How should you behave?
- What would be the first thing you would do after waking up?
- How would you dress yourself?
- What are your habits?
- What happened in the recent past?
Now, this Windows brain (Registry) is not stored in one single place, unlike a human brain, which is situated in one single place inside the head. It is made up of several separate files, each storing information on different configuration settings. These files are known as Hives.
Let’s take a look at all these hives:
Hive Name: SYSTEM
- Contains: Services, Mounted Devices, Boot Configuration, Drivers, Hardware
Location: C:\Windows\System32\config\SYSTEM
Hive Name: SECURITY
- Contains: Local Security Policies, Audit Policy Settings
Location: C:\Windows\System32\config\SECURITY
Hive Name: SOFTWARE
- Contains: Installed Programs, OS Version and other info, Autostarts, Program Settings
Location: C:\Windows\System32\config\SOFTWARE
Hive Name: SAM
- Contains: Usernames and their Metadata, Password Hashes, Group Memberships, Account Statuses
Location: C:\Windows\System32\config\SAM
Hive Name: NTUSER.DAT
- Contains: Recent Files, User Preferences, User-specific Autostarts
Location: C:\Users\username\NTUSER.DAT
Hive Name: USRCLASS.DAT
- Contains: Shellbags, Jump Lists
Location: C:\Users\username\AppData\Local\Microsoft\Windows\USRCLASS.DAT
Note: The configuration settings stored in each hive listed above are just a few examples. Each hive stores more than these.
Now that you know where these Registry Hives are stored, it might be tempting to double-click them to check out the data inside. But here’s the catch—they contain binary data that can’t be opened directly. So, if you try, you’ll just see a bunch of incomprehensible stuff. So, how can we actually view the registry data? Windows OS comes with a handy tool called the Registry Editor, which lets you view all the registry data stored in its hives. To open it, just type “Registry Editor” into your search bar:
As you can see in the Registry Editor screenshot above, there are some folders named HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, and more. But didn't we expect SYSTEM, SECURITY, SOFTWARE, etc., to be seen so we can view their data? Don't worry, Windows organizes all the Registry Hives into these structured Root Keys. Instead of seeing the Registry Hives, you would always get these registry oot keys whenever you open the registry. Now, which registry key contains which registry hive's data? To answer this question, we have a table below that maps the registry keys with their respective Registry Hives.
In the table above, you can see that most of the Registry Hives are located under the HKEY_LOCAL_MACHINE (HKLM) key. We can verify this by clicking on the little toggle arrow at the on the left side of the HKLM key in the Registry Editor, as shown in the screenshot below:
As you can see, the SYSTEM, SOFTWARE, SECURITY, and SAM hives are under the HKLM key. NTUSER.DAT and USRCLASS.DAT are located under HKEY_USERS (HKU) and HKEY_CURRENT_USER (HKCU). The other two keys HKEY_CLASSES_ROOT (HKCR) and HKEY_CURRENT_CONFIG (HKCC) are not part of any separate hive files. They are dynamically populated when Windows is running.
So far, we have learned what the registry is, where it is located (in separate Registry Hives), and how to view the registry through the Registry Editor, which displays the registry keys backed by these Registry Hives.
Registry Forensics
The Windows registry holds a wealth of information about the system, making it a key element in forensic investigations. Registry forensics involves extracting and analyzing evidence from it. During digital investigations on Windows systems, experts examine the registry along with event logs, file system data, memory data, and other sources to piece together the complete incident timeline.
Below is a list of registry keys that are especially useful during forensic investigations:
Registry Key & Their Importance
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssistImportance: It stores information on recently accessed applications launched via the GUI.
— — — — — — — — — — — —
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPathsImportance: It stores all the paths and locations typed by the user inside the Explorer address bar.
— — — — — — — — — — — —
HKLM\Software\Microsoft\Windows\CurrentVersion\App PathsImportance: It stores the path of the applications.
— — — — — — — — — — — —
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQueryImportance: It stores all the search terms typed by the user in the Explorer search bar.
— — — — — — — — — — — —
HKLM\Software\Microsoft\Windows\CurrentVersion\RunImportance: It stores information on the programs that are set to automatically start (startup programs) when the users logs in.
— — — — — — — — — — — —
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsImportance: It stores information on the files that the user has recently accessed.
— — — — — — — — — — — —
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerNameImportance: It stores the computer’s name (hostname).
— — — — — — — — — — — —
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallImportance: It stores information on the installed programs.
Various registry keys can serve as valuable sources of evidence during a Windows system incident investigation. However, examining these keys using the built-in Registry Editor is not feasible in forensic analysis, as direct access on the target system risks altering critical data. Instead, registry hives are collected and examined offline on a dedicated forensic workstation. The challenge lies in the Registry Editor’s inability to open offline hives and its tendency to display certain key values in binary format, rendering them unreadable without specialized tools.
Practical
To solve this problem, there are some tools built for registry forensics. In this task you will use the Registry Explorer tool which is a registry forensics tool. It is open source and can parse the binary data out of the registry, and we can analyze it without the fear of modification.
In this practical we will analyze the Registry Hives from the compromised system by using Registry Explorer, dispatch-srv01.
The Registry Hives have been collected and are available in the folder C:\Users\Administrator\Desktop\Registry Hives on the machine attached to this task.
Initial Setup
Start the target machine as instructed to access the lab environment. Locate the Registry Hives folder in the VM view and check what hives are inside it.
Launch Registry Explorer
Click on the Registry Explorer icon pinned to the taskbar of the target machine to launch it.
Load the Registry Hives
Once Registry Explorer opens with an empty interface, follow these steps to load the hives:
- Click the File option from the top menu
- Select Load hive from the dropdown
While loading, a pop-up appears saying that a dirty hive was detected. Let’s figure out how to tackle it!
Handling Dirty Hives
While loading Registry Hives, it is important to know that these Registry Hives can sometimes be “dirty” when collected from live systems, meaning they may have incomplete transactions. To ensure clean loading:
- On the Load hives pop-up, navigate to
C:\Users\Administrator\Desktop\Registry Hives - Select the desired hive file (e.g., SYSTEM)
- Hold SHIFT, then press Open to load associated transaction log files. This ensures you get a clean, consistent hive state for analysis.
4. You’ll be prompted with a message indicating successful replay for transaction logs
5. Repeat the same process for all the other hives you want to load
Investigating Registry Keys
After loading the SYSTEM hive, you can navigate to specific registry keys for investigation. Let's practice by finding the computer name:
- Navigate to:
ROOT\ControlSet001\Control\ComputerName\ComputerName. Or you can also just type "ComputerName" in the search bar to quickly locate the key, as shown below.
- Alternatively, you can click the Available Bookmarks tab and navigate to the ComputerName key from there.
- Examine the values to identify the system’s hostname. Under the Data value, you’ll find
DISPATCH-SRV01.
Now that you understand how to load hives and navigate in Registry Explorer, we’re now ready to begin your forensic investigation and uncover evidence of the TBFC intrusion on the Dispatch server!
The abnormal activity on the dispatch-srv01 started on 21st October, 2025.
Before diving into our investigation, let’s load all of our hives into the Registry Explorer:
Figuring out which app is installed
To find what application was installed on the dispatch-srv01 before the abnormal activity started, we have to analyze the following Registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
As we know the SYSTEM, SOFTWARE, SECURITY, SAM these hives are under the HKLM key, so we have to focus on these areas.
Here we only have to search for clues through the SOFTWARE hive (excluding the NTUSER.DAT):
The abnormal activity on dispatch-srv01 began on October 21st, 2025, and we’ve identified the app responsible for causing it on the server:
DroneManager Updater
Finding Launch Path
Now to find he full path where the user launched the application (DroneManager Updater) we have to examine the following Registry Key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
As we know the NTUSER.DAT and USRCLASS.DAT are located under HKEY_CURRENT_USER (HKCU) so now we have to focus on these areas.
Here we found our UserAssist registry key
Here we found the path where the user launched the application:
C:\Users\dispatch.admin\Downloads\DroneManager_Setup.exe
Figuring out how the app managed to stay persistent on startup
To find out how the app managed to stay persistent on startup we have to examine the Run Registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Here we also need to focus on these hives SYSTEM, SOFTWARE, SECURITY, SAMas these are under the HKLM key.
The DroneHelper app has kept its persistence through startup access, launching automatically every time the user logs in.
It also includes a --background flag that allows it to run quietly in the background without popping up when the process starts.
So the added value by which the app has kept its persistence:
“C:\Program Files\DroneManager\dronehelper.exe” — background
Answers of the THM Lab
What application was installed on the
dispatch-srv01before the abnormal activity started?
DroneManager Updater.
— — — — — — — — — — — —
What is the full path where the user launched the application (found in question 1) from?
C:\Users\dispatch.admin\Downloads\DroneManager_Setup.exe.
— — — — — — — — — — — —
Which value was added by the application to maintain persistence on startup?
“C:\Program Files\DroneManager\dronehelper.exe” — background