SYSTEM Registry Hive
Location
C:\Windows\System32\config\SYSTEMDescription
SYSTEM hive storing hardware configuration, service entries, network interface settings, mounted devices, and the boot key needed to decrypt SAM hashes.
Forensic Value
Services registered under ControlSet\Services expose malicious services used for persistence and privilege escalation. The ComputerName and TimeZoneInformation keys anchor timeline analysis. MountedDevices reveals USB storage that was connected, supporting data exfiltration investigations.
Tools Required
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target RegistryHives
reg.exe
reg save HKLM\SYSTEM C:\output\SYSTEM.hiv
RegRipper
rip.exe -r C:\output\SYSTEM.hiv -p services
Registry Explorer
Open SYSTEM.hiv in Registry Explorer and navigate to ControlSet001\Services
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
No EDR Agent on Compromised Hosts
The affected endpoints do not have an EDR agent installed or the agent was disabled prior to the incident. Without endpoint telemetry you lose process trees, command-line logging, and real-time containment capability.
Critical Logs Rotated/Overwritten Before Collection
Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.
No PCAP or NetFlow Data Available
There is no packet capture, NetFlow, or network metadata available for the timeframe of interest. Without network data it is difficult to confirm data exfiltration volumes, C2 channel details, or lateral movement paths.
Compromised Systems Powered Off or Disconnected
Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.
SIEM Not Ingesting Relevant Log Sources
The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.
Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked
Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.
Systems Already Rebooted -- Volatile Data Lost
The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.