BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Registry Forensics: Hunting Persistence in SAM, NTUSER, and SYSTEM Hives

Cybersecurity

Windows Registry hives record user account data, autorun persistence, service configurations, and last-write timestamps that survive log deletion. Knowing which keys to target cuts investigation time from days to hours.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 26, 2024 · 11 min read

#dfir#forensics#windows-registry#persistence#ir

The Windows Registry is a hierarchical database replicated across multiple hive files on disk. For incident response, the most relevant hives are SAM (user account data), SECURITY (cached credentials and LSA secrets), SYSTEM (services, drivers, network configuration), SOFTWARE (installed applications, COM objects), and NTUSER.DAT (per-user settings, autoruns, MRU lists). Each hive file has an associated transaction log (.LOG1 and .LOG2) that must be collected alongside the primary hive to ensure parse completeness.

Hive Locations and Collection

SAM: C:\Windows\System32\config\SAM
SECURITY: C:\Windows\System32\config\SECURITY
SYSTEM: C:\Windows\System32\config\SYSTEM
SOFTWARE: C:\Windows\System32\config\SOFTWARE
NTUSER.DAT: C:\Users\<username>\NTUSER.DAT (one per user profile)
UsrClass.dat: C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat
All hives are locked during normal Windows operation; use KAPE, VSS snapshots, or raw file copy tools

SAM Hive: User Account Forensics

The SAM hive stores local user account metadata under HKLM\SAM\SAM\Domains\Account\Users\. Each user has a numeric RID subkey (e.g., 000001F4 for the built-in Administrator). Values include: the account name (V value), last logon time, last password change, failed logon count, account control flags, and the LM/NT password hashes (encrypted with the SYSKEY, requiring the SYSTEM hive to decrypt). Secretsdump.py (Impacket) can extract and decrypt these offline given both hive files.

Collect SAM and SYSTEM hives with their .LOG files
Run secretsdump.py -sam SAM -system SYSTEM LOCAL to extract NT hashes offline
Use RECmd.exe with the SAM batch file for structured account metadata output
Check last logon timestamps for accounts used outside business hours
Compare local account list against expected baseline to identify rogue accounts

NTUSER.DAT: UserAssist and Run Key Persistence

Each user's NTUSER.DAT hive contains two high-value forensic locations. UserAssist, at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\, records GUI application executions with run counts and timestamps, ROT13-encoded. The Run and RunOnce keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ are classic persistence locations that execute entries at user logon.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run: executes at user logon
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce: executes once at next logon, then self-deletes
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: system-wide logon persistence
HKLM\SYSTEM\CurrentControlSet\Services\: service-based persistence (requires SYSTEM hive)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\: shell and userinit hijacking
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\: per-user shell replacement

Last Write Times as a Forensic Signal

Every registry key has a LastWrite timestamp (stored as a FILETIME in the key metadata, not as a value). This is the equivalent of the $STANDARD_INFORMATION Modified timestamp for registry keys. When you see a LastWrite time on a Run key that matches the time window of the initial compromise, it confirms when the persistence mechanism was installed. RECmd outputs LastWrite timestamps for every key in its CSV output.

undefined

SYSTEM Hive: Services and Driver Persistence

Under HKLM\SYSTEM\CurrentControlSet\Services\, each service or driver has a subkey with values including: ImagePath (the executable or driver path), Start (boot type: 0=Boot, 1=System, 2=Auto, 3=Manual, 4=Disabled), Type (service type flags), and ObjectName (the account the service runs as). Malicious services often set ImagePath to a path in %TEMP% or a renamed system utility directory. The LastWrite timestamp on the service key marks when it was registered.

Start value 2 (Auto) with a non-standard ImagePath is a high-priority investigation target
ObjectName = LocalSystem grants the service SYSTEM-level privileges
Compare service list against a known-good baseline image of the same OS version
Check for services with descriptions copied from legitimate services (masquerading)
Correlate service LastWrite timestamp with SAM logon times and Shimcache entries for the ImagePath binary

Parsing the Registry at Scale with RECmd

RECmd.exe with batch files covers the most forensically significant registry keys across all hives in a single command. The community batch file (available at the EZTools GitHub repository) processes over 200 key patterns covering Run keys, UserAssist, Shimcache, MRU lists, network shares, USB device history, and more. Command: RECmd.exe -d C:\collected_hives\ --bn C:\EZTools\BatchFiles\RECmd_Batch_MC.reb --csv C:\output\

The registry is a persistence audit log the attacker cannot easily erase without breaking the system. LastWrite timestamps on persistence keys are often the single most precise indicator of the moment an attacker achieved persistence on a host.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.