Permanent keys (those not created at boot) are identified in the hivelist subkey at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist
The one exceptions is HKEY_CURRENT_USER which is located at %SystemRoot%\Profiles\UserName
The value entries identify the registry hives. All are type REG_SZ
|
|
|
|
| \REGISTRY\MACHINE\HARDWARE | None | The HKEY_LOCAL_MACHINE\Hardware key is recreated upon boot. |
| \REGISTRY\MACHINE\SAM | \Device\Harddisk 0\Partition1 \WINNT\System32\Config\SAM |
HKEY_LOCAL_MACHINE\SAM |
| \REGISTRY\MACHINE\SECURITY | \Device\Harddisk 0\Partition1 \WINNT\System32\Config\SECURITY |
HKEY_LOCAL_MACHINE\Security |
| \REGISTRY\MACHINE\SOFTWARE | \Device\Harddisk 0\Partition1 \WINNT\System32\Config\Software |
HKEY_LOCAL_MACHINE\Software |
| \REGISTRY\MACHINE\SYSTEM | \Device\Harddisk 0\Partition1 \WINNT\System32\Config\System |
HKEY_LOCAL_MACHINE\System |
| \REGISTRY\USER\.DEFAULT | \Device\Harddisk 0\Partition1 \WINNT\System32\Config\Default |
HKEY_USERS\.DEFAULT |
| \REGISTRY\USER\Security ID (SID) | \Device\Harddisk 0\Partition1 \WINNT\Profiles\Username\ntuser.dat |
The current user(s) profile. If services are running under user accounts, their entries are also located here. |
0 comments
Hide comments
