What are hives?

Hives are the major subdivisions of all of these subtrees, keys, subkeys, and values that make up the Registry. They contain “related” data.



All hives are stored in %systemroot%\SYSTEM32\CONFIG. The major hives and their files are as follows:

Hive

File

Backup File

HKEY_LOCAL_MACHINE\SOFTWARE

SOFTWARE

SOFTWARE.LOG

HKEY_LOCAL_MACHINE\SECURITY

SECURITY

SECURITY.LOG

HKEY_LOCAL_MACHINE\SYSTEM

SYSTEM

SYSTEM.LOG

HKEY_LOCAL_MACHINE\SAM

SAM

SAM.LOG

HKEY_CURRENT_USER

USERxxx

ADMINxxx

USERxxx.LOG

ADMINxxx.LOG

HKEY_USERS\.DEFAULT

DEFAULT

DEFAULT.LOG

Hackers should look for the SAM file, with the SAM.LOG file as a secondary target. This contains the password info.

Hive

File

Backup File

HKEY_LOCAL_MACHINE\SOFTWARE

SOFTWARE

SOFTWARE.LOG

HKEY_LOCAL_MACHINE\SECURITY

SECURITY

SECURITY.LOG

HKEY_LOCAL_MACHINE\SYSTEM

SYSTEM

SYSTEM.LOG

HKEY_LOCAL_MACHINE\SAM

SAM

SAM.LOG

HKEY_CURRENT_USER

USERxxx

ADMINxxx

USERxxx.LOG

ADMINxxx.LOG

HKEY_USERS\.DEFAULT

DEFAULT

DEFAULT.LOG

Hackers should look for the SAM file, with the SAM.LOG file as a secondary target. This contains the password info.

For ease of use, the Registry is divided into five separate structures that represent the Registry database in its entirety. These five groups are known as Keys, and are discussed below:

HKEY_CURRENT_USER

This registry key contains the configuration information for the user that is currently logged in. The users folders, screen colors, and control panel settings are stored here. This information is known as a User Profile.

HKEY_USERS

In windowsNT 3.5x, user profiles were stored locally (by default) in the systemroot\system32\config directory. In NT4.0, they are stored in the systemroot\profiles directory. User-Specific information is kept there, as well as common, system wide user information.

This change in storage location has been brought about to parallel the way in which Windows95 handles its user profiles. In earlier releases of NT, the user profile was stored as a single file – either locally in the \config directory or centrally on a server. In windowsNT 4, the single user profile has been broken up into a number of subdirectories located below the \profiles directory. The reason for this is mainly due to the way in which the Win95 and WinNT4 operating systems use the underlying directory structure to form part of their new user interface.

HKEY_LOCAL_MACHINE

This key contains configuration information particular to the computer. This information is stored in the systemroot\system32\config directory as persistent operating system files, with the exception of the volatile hardware key.

The information gleaned from this configuration data is used by applications, device drivers, and the WindowsNT 4 operating system. The latter usage determines what system configuration data to use, without respect to the user currently logged on. For this reason the HKEY_LOCAL_MACHINE regsitry key is of specific importance to administrators who want to support and troubleshoot NT 4.

HKEY_LOCAL_MACHINE is probably the most important key in the registry and it contains five subkeys:

  • Hardware: Database that describes the physical hardware in the computer, the way device drivers use that hardware, and mappings and related data that link kernel-mode drivers with various user-mode code. All data in this sub-tree is re-created everytime the system is started.
  • SAM: The security accounts manager. Security information for user and group accounts and for the domains in NT 4 server.
  • Security: Database that contains the local security policy, such as specific user rights. This key is used only by the NT 4 security subsystem.
  • Software: Pre-computer software database. This key contains data about software installed on the local computer, as well as configuration information.
  • System: Database that controls system start-up, device driver loading, NT 4 services and OS behavior.

Information about the HKEY_LOCAL_MACHINE\SAM Key

This subtree contains the user and group accounts in the SAM database for the local computer. For a computer that is running NT 4, this subtree also contains security information for the domain. The information contained within the SAM registry key is what appears in the user interface of the User Manager utility, as well as in the lists of users and groups that appear when you make use of the Security menu commands in NT4 explorer.

Information about the HKEY_LOCAL_MACHINE\Security key

This subtree contains security information for the local computer. This includes aspects such as assigning user rights, establishing password policies, and the membership of local groups, which are configurable in User Manager.

HKEY_CLASSES_ROOT

The information stored here is used to open the correct application when a file is opened by using Explorer and for Object Linking and Embedding. It is actually a window that reflects information from the HKEY_LOCAL_MACHINE\Software subkey.

HKEY_CURRENT_CONFIG

The information contained in this key is to configure settings such as the software and device drivers to load or the display resolution to use. This key has a software and system subkeys, which keep track of configuration information.

Understanding Hives

The registry is divided into parts called hives. These hives are mapped to a single file and a .LOG file. These files are in the systemroot\system32\config directory.

Registry Hive

File Name

HKEY_LOCAL_MACHINE\SAM

SAM and SAM.LOG

HKEY_LOCAL_MACHINE\SECURITY

Security and Security.LOG

HKEY_LOCAL_MACHINE\SOFTWARE

Software and Software.LOG

HKEY_LOCAL_MACHINE\SYSTEM

System and System.ALT

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s