SOFTWARE Registry Hive

WindowsSystem ConfigurationDisk Image

Location

C:\Windows\System32\config\SOFTWARE

Description

Machine-wide SOFTWARE hive recording installed applications, OS version, network profiles, Windows Defender exclusions, and Group Policy settings.

Forensic Value

Installed application entries with timestamps reveal attacker tool installation. Windows Defender exclusion paths (Policies\Microsoft\Windows Defender\Exclusions) show folders adversaries whitelisted to avoid detection. NetworkList\Profiles records every Wi-Fi and LAN network the host connected to with first/last connection times.

Tools Required

KAPERegRipperRegistry Explorer (Eric Zimmerman)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

reg.exe

reg save HKLM\SOFTWARE C:\output\SOFTWARE.hiv

RegRipper

rip.exe -r C:\output\SOFTWARE.hiv -p networklist

RECmd

RECmd.exe -f C:\output\SOFTWARE.hiv --bn BatchExamples\RECmd_Batch_MC.reb --csv C:\output --csvf SOFTWARE_RECmd.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1562.001T1112T1082

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote