The Windows Registry is like the DNA of an operating system—it tracks system configurations, user settings, and most importantly, installed applications. For forensic investigators, this makes the Registry a valuable source of evidence, helping to identify what software has been installed, when it was installed, and even if it has been uninstalled but left traces behind.
Where to Find Installed Applications in the Registry
Windows stores information about installed applications in multiple locations within the Registry. The primary locations include:
1. Uninstall Keys (Most Common Locations)
These keys list installed applications and provide details such as:
Application Name
Version Number
Software Publisher
File Size
Installation Date
Location on Disk
Registry Paths for Installed Applications
For all users:
1.SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2.SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (for 32-bit apps on 64-bit OS)For specific users:
1. NTUSER\Software\Microsoft\Windows\CurrentVersion\Uninstall
2. NTUSER\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\UninstallMany applications today are still 32-bit, even on 64-bit systems, so checking the WOW6432Node key is essential for a complete audit.
--------------------------------------------------------------------------------------------------------
Alternative Registry Locations for Installed Applications
Beyond the uninstall keys, additional locations provide useful data:
Microsoft Installer (MSI) Applications
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\<SID>\Products\<Product ID>\InstallPropertiesThis key tracks software installed using MSI packages. If an application’s UninstallString contains "msiexec.exe", the MSI Product Code (GUID) can be searched in the Registry to find more related details.
Universal Windows Platform (UWP) Apps (Microsoft Store Apps)
SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStoreThis tracks Windows Store apps and built-in system applications.
Other Application Tracking Keys
Application Paths (Shortcut Information)
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
NTUSER\Software\Microsoft\Windows\CurrentVersion\App Paths
File Extension Tracking (Recently Used Apps)
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Application-Specific Data Storage (IntelliType Keyboard Software, etc.)
NTUSER\Software\Microsoft\IntelliType Pro\AppSpecific
These locations contain file paths, execution history, and recently used file extensions, which can be useful when investigating software usage and digital artifacts.
--------------------------------------------------------------------------------------------------------
Tracking Software Installation Dates and Updates
Every installed application typically has an InstallDate value, which records the last time the software was installed, updated, or repaired. However, not all applications store this data, and updates (such as Windows patches) can alter timestamps for multiple applications at once.
If the InstallDate field is missing, the Registry last write time can sometimes be used as an estimate.
However, this method isn’t always reliable because system-wide updates can reset multiple timestamps at once.
--------------------------------------------------------------------------------------------------------
Finding Uninstalled Software Evidence
Even when an application is removed, traces often remain in the Registry. These can include:
Leftover registry keys under the uninstall locations
Recently used file extensions still linked to the software
Application-specific MRU (Most Recently Used) lists stored elsewhere in the Registry
A simple keyword search across registry keys, values, and data can reveal hidden traces of software that no longer appears in the uninstall lists.
--------------------------------------------------------------------------------------------------------
Forensic Analysis of Installed Software: The Best Approach
To get a complete picture of installed applications, follow these steps:
Check all known uninstall registry keys for software records.
Look at the MSI Installer keys for software installed via Microsoft’s installer service.
Audit UWP (Microsoft Store) applications in the Appx registry location.
Search for file extension associations and application paths to find recent usage.
Check Registry last write timestamps, but be aware of system updates affecting accuracy.
Use a forensic tool like Registry Explorer to automatically aggregate relevant data into a table for easier analysis.
--------------------------------------------------------------------------------------------------------
Final Thoughts
By analyzing multiple registry locations, investigators can track not just what software is installed, but also when and how it was installed, updated, or even removed. However, timestamps can sometimes be unreliable due to system updates, so layering evidence from multiple sources is key to forming accurate conclusions.
By mastering Registry analysis, forensic investigators can uncover hidden applications, track software usage, and even identify traces of deleted programs—making it a crucial skill in digital forensics!
------------------------------------------------Dean--------------------------------------------------
Comments