The Windows operating system caches writes to the registry in two locations. The first is in memory. The second is on disk in the transaction log file.
The transaction log is named after the ntuser.dat.LOG 1 and ntuserdat.LOG2 located in the same folder as the registry hive file. **Starting with Windows 8, Microsoft changed the way that windows permanently write to the hive files. The transaction log files are used to cache writes to the registry before they are permanently written to the hive.
A significant change occurred in Windows 8.1 and above that might leave the most
recent activity that occurred in the past hour inside the transaction log file and will be missing from the registry hive file unless the transaction log files are parsed when you open the registry hive file.
Starting with Windows 8 and above, temporary data is written to the transaction log files and continually appends the log files. It does not permanently write to the core hive file immediately but will do so when the system is being unused, shutdown, or when an hour has occurred since the last write to the primary hive file. This has resulted in much less disk writes over time and apparently has improved performance of the operating system by reducing the continual writes to the registry hives.
It means that most recent changes to the registry are likely located in the transaction log files and not found in the hive files you might be examining. Most registry forensic tools do not perform this check or alert you to this issue. This is especially interesting if you are trying to track the recent user or process interactions inside the Windows operating system. Many forensic tools do not take into account the data stored in the transaction log files and especially.
Akash Patel
Comments