SYSTEM Registry Hive

windowsSystem ConfigurationDisk Image

Location

C:\Windows\System32\config\SYSTEM

Description

SYSTEM hive storing hardware configuration, service entries, network interface settings, mounted devices, and the boot key needed to decrypt SAM hashes.

Forensic Value

Services registered under ControlSet\Services expose malicious services used for persistence and privilege escalation. The ComputerName and TimeZoneInformation keys anchor timeline analysis. MountedDevices reveals USB storage that was connected, supporting data exfiltration investigations.

Tools Required

KAPERegRipperRegistry Explorer (Eric Zimmerman)

Related Blockers

No EDR Agent on Compromised Hosts

The affected endpoints do not have an EDR agent installed or the agent was disabled prior to the incident. Without endpoint telemetry you lose process trees, command-line logging, and real-time containment capability.

Critical Logs Rotated/Overwritten Before Collection

Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.

No PCAP or NetFlow Data Available

There is no packet capture, NetFlow, or network metadata available for the timeframe of interest. Without network data it is difficult to confirm data exfiltration volumes, C2 channel details, or lateral movement paths.

Compromised Systems Powered Off or Disconnected

Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.

SIEM Not Ingesting Relevant Log Sources

The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.

Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked

Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.

Systems Already Rebooted -- Volatile Data Lost

The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.