</table>

<p>Hackers should look for the SAM file, with the SAM.LOG file as a secondary target.

This contains the password info.</p>

<p>For ease of use, the Registry is divided into five separate structures that represent

the Registry database in its entirety. These five groups are known as Keys, and are discussed below:</p>

<h4>HKEY_CURRENT_USER</h4>

<blockquote>

<p>This registry key contains the configuration information for the user that is currently logged in.

The users folders, screen colors, and control panel settings are stored here. This information is

known as a User Profile.</p>

</blockquote>

<h4>HKEY_USERS</h4>

<blockquote>

<p>In windowsNT 3.5x, user profiles were stored locally (by default) in the systemroot\system32\config

directory. In NT4.0, they are stored in the systemroot\profiles directory. User-Specific information

is kept there, as well as common, system wide user information.</p>

</blockquote>

<p>This change in storage location has been brought about to parallel the way in which Windows95 handles

its user profiles. In earlier releases of NT, the user profile was stored as a single file - either

locally in the \config directory or centrally on a server. In windowsNT 4, the single user

profile has been broken up into a number of subdirectories located below the \profiles directory.

The reason for this is mainly due to the way in which the Win95 and WinNT4 operating systems use

the underlying directory structure to form part of their new user interface.</p>

<p>A user profile is now contained within the NtUser.dat (and NtUser.dat.log) files, as well as the

following subdirectories:</p>

<ul>

  <li><b>Application Data:</b> This is a place to store application data specific to this particular user.</li>

  <li><b>Desktop:</b> Placing an icon or a shortcut into this folder causes the that icon or shortcut to appear

  on the desktop of the user.</li>

  <li><b>Favorites:</b> Provides a user with a personalized storage place for files, shortcuts and other information.</li>

  <li><b>NetHood:</b> Maintains a list of personlized network connections.</li>

  <li><b>Personal:</b> Keeps track of personal documents for a particular user.</li>

  <li><b>PrintHood:</b> Similar to NetHood folder, PrintHood keeps track of printers rather than network connections.</li>

  <li><b>Recent:</b> Contains information of recently used data.</li>

  <li><b>SendTo:</b> Provides a centralized store of shortcuts and output devices.</li>

  <li><b>Start Menu:</b> Contains configuration information for the users menu items.</li>

  <li><b>Templates:</b> Storage location for document templates.</li>

</ul>

<h4>HKEY_LOCAL_MACHINE</h4>

<blockquote>

<p>This key contains configuration information particular to the computer. This information is stored in the

systemroot\system32\config directory as persistent operating system files, with the exception of the

volatile hardware key.</p>

</blockquote>

<p>The information gleaned from this configuration data is used by applications, device drivers,

and the WindowsNT 4 operating system. The latter usage determines what system configuration data to

use, without respect to the user currently logged on. For this reason the HKEY_LOCAL_MACHINE regsitry

key is of specific importance to administrators who want to support and troubleshoot NT 4.</p>

<p><b>HKEY_LOCAL_MACHINE</b> is probably the most important key in the registry and it contains five subkeys:</p>

<ul>

  <li><b>Hardware:</b> Database that describes the physical hardware in the computer, the way device drivers use that

  hardware, and mappings and related data that link kernel-mode drivers with various user-mode code. All data

  in this sub-tree is re-created everytime the system is started.</li>

  <li><b>SAM:</b> The security accounts manager. Security information for user and group accounts and for

  the domains in NT 4 server.</li>

  <li><b>Security:</b> Database that contains the local security policy, such as specific user rights.

  This key is used only by the NT 4 security subsystem.</li>

  <li><b>Software:</b> Pre-computer software database. This key contains data about software installed on the local

  computer, as well as configuration information.</li>

  <li><b>System:</b> Database that controls system start-up, device driver loading, NT 4 services and OS behavior.</li>

</ul>

<h4>Information about the HKEY_LOCAL_MACHINE\SAM Key</h4>

<blockquote>

<p>This subtree contains the user and group accounts in the SAM database for the local computer. For a

computer that is running NT 4, this subtree also contains security information for the domain. The information

contained within the SAM registry key is what appears in the user interface of the User Manager utility, as well

as in the lists of users and groups that appear when you make use of the Security menu commands in NT4 explorer.</p>

</blockquote>

<h4>Information about the HKEY_LOCAL_MACHINE\Security key</h4>

<blockquote>

<p>This subtree contains security information for the local computer. This includes aspects such as assigning

user rights, establishing password policies, and the membership of local groups, which are configurable

in User Manager.</h4>

</blockquote>

<h4>HKEY_CLASSES_ROOT</h4>

<blockquote>

<p>The information stored here is used to open the correct application when a file is opened by using

Explorer and for Object Linking and Embedding. It is actually a window that reflects information from

the HKEY_LOCAL_MACHINE\Software subkey.</p>

</blockquote>

<h4>HKEY_CURRENT_CONFIG</h4>

<blockquote>

<p>The information contained in this key is to configure settings such as the software and device drivers to

load or the display resolution to use. This key has a software and system subkeys, which keep track of

configuration information.</p>

</blockquote>

<h3>Understanding Hives</h3>

<p>The registry is divided into parts called hives. These hives are mapped to a single file and a

.LOG file. These files are in the systemroot\system32\config directory.</p>

<table>

<tr>

  <th>Registry Hive</th>

  <th>File Name</th>

</tr>

<tr>

  <td>HKEY_LOCAL_MACHINE\SAM</td>

  <td>SAM and SAM.LOG</td>

</tr>

<tr>

  <td>HKEY_LOCAL_MACHINE\SECURITY</td>

  <td>Security and Security.LOG</td>

</tr>

<tr>

  <td>HKEY_LOCAL_MACHINE\SOFTWARE</td>

  <td>Software and Software.LOG</td>

</tr>

<tr>

  <td>HKEY_LOCAL_MACHINE\SYSTEM</td>

  <td>System and System.ALT</td>

</tr>

</table>

<h3>QuickNotes</h3>

<p>Ownership = The ownership menu item presents a dialog box that identifies the user who owns the

selected registry key. The owner of a key can permit another user to take ownership of a key. In addition,

a system administrator can assign a user the right to take ownership, or outright take ownership himself.</p>

<p>REGINI.EXE = This utility is a character based console application that you can use to add keys to the

NT registry by specifying a Registry script.</p>

<hr align="center" width="75%">

<p>The Following table lists the major Registry hives and some subkeys and the DEFAULT access permissions assigned:</p>

<table>

<tr>

  <td colspan="2">\\ denotes a major hive<br>\denotes a subkey of the prior major hive</td>

</tr>

<tr>

  <td valign="top">\\HKEY_LOCAL_MACHINE</td>

  <td>Admin-Full Control<br>Everyone-Read Access<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\HARDWARE</td>

  <td>Admin-Full Control<br>Everyone-Read Access<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\SAM</td>

  <td>Admin-Full Control<br>Everyone-Read Access<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\SECURITY</td>

  <td>Admin-Special (Write DAC, Read Control)<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\SOFTWARE</td>

  <td>Admin-Full Control<br>Creator Owner-Full Control<br>Everyone-Special (Query, Set,

   Create, Enumerate, Notify, Delete, Read)<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\SYSTEM</td>

  <td>Admin-Special (Query, Set, Create, Enumerate, Notify, Delete, Read)<br>Everyone-Read Access<br>

  System-Full Control</td>

</tr>

<tr>

  <td valign="top">\\HKEY_CURRENT_USER</td>

  <td>Admin-Full Control<br>Current User-Full Control<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\\HKEY_USERS</td>

  <td>Admin-Full Control<br>Current User-Full Control<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\\HKET_CLASSES_ROOT</td>

  <td>Admin-Full Control<br>Creator Owner-Full Control<br>Everyone-Special (Query, Set, Create,

  Enumerate, Notify, Delete, Read)<br>System-Full Control</td>

</tr>

<tr>

  <td valign="top">\\HKEY_CURRENT CONFIG</td>

  <td>Admin-Full Control<br>Creator Owner-Full Control<br>Everyone-Read Access<br>System-Full Control</td>

</tr>

</table>

<hr width="75%" align="center">

<p>That's it for the Registry Tutorial. Questions or Comments should be forwarded to

<a href="mailto:nijjerm@cadvision.com">nijjerm@cadvision.com</a></p>

<p>&nbsp;</p>

<p>Jatt</p>

<p>&nbsp;</p>

<p>Checkout these sites for more info:</p>

<p>NT registry Hacks: <a href="http://www.jsiinc.com/default.htm?/reghack.htm" target="_blank">http://www.jsiinc.com/default.htm?/reghack.htm</a><br>

Unofficial NT Hack: <a href="http://www.nmrc.org/faqs/nt/index.html" target="_blank">http://www.nmrc.org/faqs/nt/index.html</a><br>

Rhino9: The Windows NT Security Research Team: <a href="http://www.xtreme.abyss.com/techvoodoo/rhino9" target="_blank">http://www.xtreme.abyss.com/techvoodoo/rhino9</a><br>

Regedit.com - cool registry tricks: <a href="http://www.regedit.com" target="_blank">http://www.regedit.com</a></p>



<p>Also please checkout: <a href="www.windows2000test.com" target="_blank">www.windows2000test.com</a> and give it  your best shot because Microsoft

wants you to test their operating system's security flaws for them.  They are challenging all

hackers to hack that site.</p>



</body>

</html>