Computer Name must be found in SYSTEM\CurrentControlSet\Control\ComputerName
User account information can be found in SAM\Domains\Account\Users
RID (Relative Identifier) is the last part of SID (Security Identifier). Plese see example below:
-
S-1-5-21-1234567890-1234567890-1234567890-500 → This is SID
-
500 → This is RID (in decimal)
-
500 decimal in hexadecimal is 1F4
-
0x is a hex prefix. It’s saying that this is a hexadecimal.
-
0x1F4 is equal to 000001F4. 000001F4 is just padded for registry key names.
-
TIPS: By default
In this path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles, you can see a list of profiles for each network the computer has connected to.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures, contains network signatures (e.g., DHCP configuration), which help identify networks the system has connected to in the past.
Under this path, SYSTEM\CurrentControlSet\Services\LanmanServer\Shares, we can find the shared folder.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards. → Network card used by the user
SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces → DHCP Information
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs → Recently opened files
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU → List of all the command type in windows run (win+R)
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery → Recent Search Terms type in file explorer
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist → Tracks program execution
