| Registry Explorer Item | Primary Purpose | DFIR Usage | Strongest Questions It Answers | Caveats / Correlation Needed |
|---|---|---|---|---|
| Run | Startup persistence | Detect autoruns | What launches at logon? | Confirm with Prefetch / Amcache |
| RunOnce | One-time startup execution | Malware staging | Was something scheduled only once? | Often cleared after execution |
| TaskCache | Scheduled tasks | Persistence / execution | Was a task created or modified? | Correlate with Security 4698 |
| Image File Execution Options (IFEO) | Debugger hijack | Persistence / defense evasion | Was a process hijacked via debugger? | Very high attacker value |
| App Paths | Executable redirection | LOLBIN hijack | Was executable path overridden? | Useful for stealth persistence |
| Uninstall | Installed software | Software footprint | What software existed? | Install date often unreliable |
| Products (MSI) | MSI installs | Installer evidence | What MSI packages ran? | Useful for payload installs |
| Products (Installed on system) | Alternate MSI view | Package correlation | Was software machine-wide? | Compare with Uninstall |
| Defender | AV config | Defense tampering | Was AV disabled? | Critical in malware cases |
| Defender GPO | Policy-enforced AV config | Domain-driven defense changes | Was Defender disabled centrally? | Domain context needed |
| Channels | Event logging config | Logging tampering | Were logs disabled? | Very strong anti-forensics indicator |
| Tracing | Diagnostic traces | Execution residue | Which services generated traces? | Often overlooked goldmine |
| Wow6432Node - Tracing | 32-bit traces | x86 execution evidence | Did 32-bit tools run? | Excellent for legacy malware |
| CurrentVersion | OS metadata | Host profile | What OS/version/build? | Baseline only |
| CurrentVersion (Windows NT) | Extended OS identity | Forensic host fingerprint | Exact build? install age? | Needed for timeline |
| Control Panel | User settings | User behavior | What user changed? | Weak standalone evidence |
| Internet Explorer | Legacy browsing config | Browser footprint | Was IE used? proxy? zones? | Still valuable even modern systems |
| StartMenuInternet | Default browser | User preference | What browser is default? | Supports browser artifact triage |
| command (Default browser) | Browser handler | URL execution behavior | Which browser opens commands? | Useful for phishing cases |
| LogonUI | Last logged-on user | Identity evidence | Who used machine last? | Correlate with Security logs |
| Winlogon | Logon behavior | Credential abuse / persistence | AutoAdminLogon? shell hijack? | High-value persistence zone |
| ProfileList | SID-to-user mapping | User attribution | Which profiles existed? | Essential pivot key |
| NetworkCards | NIC hardware | Host identification | Which adapters existed? | Useful in VM detection |
| NetworkList | Connected networks | Mobility / lateral movement | Which networks has host joined? | Extremely valuable timeline artifact |
| Devices | Portable devices | USB presence | What was attached? | Correlate with setupapi logs |
| Windows Portable Devices | Historical USB metadata | Device attribution | Which USBs used before? | Excellent for exfil cases |
| EMDMgmt | External media cache | USB storage usage | Which removable media mounted? | High-value USB artifact |
| VolumeInfoCache | Mounted volume metadata | Drive history | Which volumes existed? | Strong removable media evidence |
| SRUM | Resource usage database | Network + app execution | What apps used network/resources? | One of strongest modern artifacts |
| HeapLeakDetection / RADAR | Crash diagnostics | Failed execution | Which binaries crashed? | Often reveals malware attempts |
| System (UAC) | Elevation config | Privilege abuse context | Was UAC lowered? | Supports privilege escalation |
| System (Legal Notice) | Login banner | Org context | Enterprise policy? | Low DFIR priority |
| SOFTWARE - App Paths | Binary path registration | Execution hijack | Custom path injection? | Persistence value |
| SOFTWARE - Uninstall | Software list | Payload presence | Was tool installed? | Very common triage source |
BLUE TEAM / DFI / ARTEFACT / WINDOWS / REGISTRY