The SOFTWARE hive is the largest of the system registry hives and the single most information-dense artifact on a Windows system. It records every program ever installed, the exact OS build, every network the machine has connected to, timezone configuration, and the AppID mappings that make SRUM analysis possible.
What Is the SOFTWARE Hive?
The SOFTWARE registry hive is a system-level configuration database loaded into HKLM\SOFTWARE at boot time. It stores machine-wide application settings, operating system configuration, installed program records, network profile history, and COM class registrations. Unlike per-user hives (NTUSER.DAT, UsrClass.dat), the SOFTWARE hive captures system-level state that applies to all users and services on the machine.
Forensically, the SOFTWARE hive is indispensable for three reasons. First, it provides the installed programs inventory — the Uninstall keys record every application that registered itself with Windows, including installation dates, publisher names, and installation paths. Second, it contains the OS version and build number, which determines which artifacts are available and which parsing tools to use. Third, it stores the SRUM AppID mapping table that converts integer identifiers in SRUM.db to human-readable executable paths. Without the SOFTWARE hive, SRUM output shows meaningless numbers instead of paths like C:\Users\jdoe\AppData\Local\Temp\rc.exe.
The hive typically ranges from 30 MB to over 200 MB, making it the largest of the five system registry hives (SAM, SECURITY, SOFTWARE, SYSTEM, DEFAULT). Its size reflects the cumulative history of every application installation, update, and configuration change on the system.
The SOFTWARE hive is the essential companion to SRUM.db. It contains the AppID-to-executable-path mapping table that makes SRUM output interpretable. Always collect the SOFTWARE hive alongside SRUM.db during triage. Without it, SRUM analysis produces integer IDs instead of process names.
Location & Format
File Paths
| File | Path | Notes |
|---|---|---|
| SOFTWARE (live) | C:\Windows\System32\config\SOFTWARE | Locked by OS; requires VSS or raw copy for live acquisition |
| SOFTWARE (RegBack) | C:\Windows\System32\config\RegBack\SOFTWARE | Automatic backup (disabled by default on Win 10 1803+) |
| SOFTWARE (repair) | C:\Windows\repair\SOFTWARE | Legacy backup from original OS install |
| Transaction logs | C:\Windows\System32\config\SOFTWARE.LOG1, .LOG2 | Uncommitted changes; replay with registry recovery tools |
Hive Format
The SOFTWARE hive uses the standard Windows registry hive format (regf). It consists of bins (hbin) containing cells (key nodes, value nodes, subkey lists, and data cells). Each key node has a last-written timestamp (FILETIME format, 100-nanosecond resolution) that records the most recent modification to that key or its values. These timestamps are critical for establishing when software was installed, when settings were changed, and when network connections occurred.
Registry key timestamps update when any value under that key is modified. They do not update when a subkey is created or modified — only when the key’s own values change. This means the Uninstall\{GUID} key timestamp reflects the last time the installer wrote to that specific key, which is typically the installation or last update date.
What It Reveals
| Data Point | Registry Path | Forensic Value |
|---|---|---|
| Installed programs (64-bit) | Microsoft\Windows\CurrentVersion\Uninstall\ | DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation, UninstallString |
| Installed programs (32-bit on 64-bit OS) | WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ | Same fields; captures 32-bit applications on 64-bit systems |
| OS version and build | Microsoft\Windows NT\CurrentVersion | ProductName, CurrentBuild, UBR, EditionID, InstallDate, RegisteredOwner |
| Network profiles | Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ | ProfileName, DateCreated, DateLastConnected, Description (SSID for Wi-Fi) |
| Network signatures | Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\ | MAC address of default gateway, DNS suffix — uniquely identifies the physical network |
| SRUM AppID mappings | Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\ | Maps integer AppIDs in SRUM.db to executable paths; essential for SRUM analysis |
| Timezone | Microsoft\Windows NT\CurrentVersion\Time Zones\ | Configured timezone; critical for timestamp normalization across artifacts |
| Registered applications | RegisteredApplications | Maps application names to their capability registrations |
| Run/RunOnce (machine-level) | Microsoft\Windows\CurrentVersion\Run | Persistence mechanism; programs that execute at every logon for all users |
The NetworkList keys record every network the machine has connected to, with creation and last-connection timestamps. For Wi-Fi networks, the Description field contains the SSID. The Signatures subkey stores the default gateway MAC address, which uniquely identifies the physical network segment. This data proves the machine was physically present at a specific network location at a specific time — powerful evidence in insider threat and data exfiltration cases.
Forensic Use Cases
Unauthorized Software Installation
The Uninstall keys record every application that registered with Windows, including the InstallDate (YYYYMMDD string) and the key’s last-written timestamp. By correlating installation dates with the investigation timeline, investigators can identify tools installed by an attacker — remote access software (AnyDesk, TeamViewer, ScreenConnect), exfiltration tools (rclone, WinSCP, MEGASync), or hacking utilities that registered themselves during installation.
SRUM AppID Resolution
SRUM.db stores application identifiers as integers. The SOFTWARE hive contains the SRUM\Extensions key that maps these integers to executable paths. Without this mapping, SRUM output shows entries like AppId: 42 instead of C:\Users\jdoe\AppData\Local\Temp\rc.exe. Every SRUM analysis workflow requires the SOFTWARE hive as input alongside the SRUM.db file.
Network Location History
The NetworkList profiles record Wi-Fi SSIDs, VPN connection names, and wired network identifiers with first-connected and last-connected timestamps. In insider threat cases, this data can prove a laptop was connected to a competitor’s Wi-Fi network, a personal hotspot, or an unauthorized network — establishing physical location and network context that event logs alone cannot provide.
OS Profiling and Artifact Availability
The Windows NT\CurrentVersion key provides the exact OS version, build number, and Update Build Revision (UBR). This information determines which forensic artifacts are available (e.g., SRUM exists only on Windows 8+, BAM/DAM only on Windows 10 1709+), which parsing tools are compatible, and which exploit paths were viable at the time of the incident.
Acquisition Methods
Live System — Registry Save
:: Save SOFTWARE hive from live system reg save HKLM\SOFTWARE C:\Evidence\SOFTWARE :: Using KAPE to collect all registry hives kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives :: Using RawCopy to bypass NTFS locks RawCopy.exe /FileNamePath:C:\Windows\System32\config\SOFTWARE /OutputPath:C:\Evidence\
Forensic Image — Direct Extraction
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy SOFTWARE hive and transaction logs cp /mnt/evidence/Windows/System32/config/SOFTWARE /analysis/registry/ cp /mnt/evidence/Windows/System32/config/SOFTWARE.LOG1 /analysis/registry/ cp /mnt/evidence/Windows/System32/config/SOFTWARE.LOG2 /analysis/registry/ # RegBack copy (may be 0 bytes on Win10 1803+) cp /mnt/evidence/Windows/System32/config/RegBack/SOFTWARE /analysis/registry/SOFTWARE.regback 2>/dev/null
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| RegRipper | Harlan Carvey | Open source (Perl) | Text | Plugins: networklist, soft_run, uninstall, compname, timezone, winver |
| Registry Explorer | Eric Zimmerman | Free | GUI | Visual browser; shows key timestamps; bookmarks for forensic keys |
| RECmd | Eric Zimmerman | Free | CSV | Command-line batch processing; supports batch key extraction with plugins |
| yarp | Maxim Suhanov | Open source (Python) | API | Registry hive parser with transaction log replay support |
| python-registry | Willi Ballenthin | Open source (Python) | API | Pure Python registry parser; scriptable for custom analysis |
| Autopsy | Sleuth Kit | Open source | GUI | Integrated registry viewer in the forensic platform |
Installed Software Enumeration
# RegRipper: extract installed programs rip.pl -r /analysis/registry/SOFTWARE -p uninstall # RegRipper: extract network profiles rip.pl -r /analysis/registry/SOFTWARE -p networklist # RegRipper: extract OS version rip.pl -r /analysis/registry/SOFTWARE -p winver # RECmd: batch extraction with forensic plugin set RECmd.exe -f C:\Evidence\SOFTWARE --bn BatchExamples\RECmd_Batch_MC.reb --csv C:\Analysis\
Python Script — Network Profile Timeline
from Registry import Registry reg = Registry.Registry('/analysis/registry/SOFTWARE') profiles = reg.open('Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles') for subkey in profiles.subkeys(): name = subkey.value('ProfileName').value() created = subkey.value('DateCreated').value() last_conn = subkey.value('DateLastConnected').value() desc = subkey.value('Description').value() print(f'{name} | Created: {created} | Last: {last_conn} | {desc}')
Sample Output — Suspicious Software Timeline
DisplayName InstallDate Publisher InstallLocation
AnyDesk 20260214 AnyDesk Software C:\Program Files (x86)\AnyDesk
rclone v1.65.0 20260214 C:\Users\jdoe\AppData\Local\rclone
MEGAsync 20260213 Mega Ltd C:\Users\jdoe\AppData\Local\MEGAsync
7-Zip 23.01 20251105 Igor Pavlov C:\Program Files\7-Zip
Microsoft Office 365 20250815 Microsoft Corp C:\Program Files\Microsoft Office
AnyDesk and rclone were both installed on 2026-02-14 — the same date as the suspected intrusion. rclone has no publisher field and was installed to a user-specific AppData path rather than Program Files, which is atypical for legitimate software deployment. MEGAsync was installed the day before, suggesting pre-staging. The remaining entries (7-Zip, Office) have installation dates months earlier and are consistent with normal IT provisioning.
Retention & Persistence
| Property | Detail |
|---|---|
| Retention period | Permanent — entries accumulate for the lifetime of the OS installation |
| Survives reboot | Yes — persisted to disk as a hive file |
| Survives application uninstall | Partial — well-behaved uninstallers remove their Uninstall key, but many leave orphaned entries; NetworkList profiles are never removed |
| Survives user profile deletion | Yes — system-level hive, independent of user profiles |
| Update frequency | On-demand — modified whenever software is installed, settings change, or network connections occur |
| Typical size | 30 MB to 200+ MB depending on software history |
When software is uninstalled, a well-behaved uninstaller removes its Uninstall registry key. However, many applications leave orphaned keys, and the key’s last-written timestamp still reflects the original installation or last update. Even when the key is properly removed, the key name and timestamps may be recoverable through registry hive carving (deleted key recovery) using tools like Registry Explorer or yarp.
Anti-Forensics Resilience
The SOFTWARE hive is a locked system file that cannot be directly modified by standard cleanup tools while Windows is running.
| Tool | Clears SOFTWARE? | Explanation |
|---|---|---|
| CCleaner | No | Does not target system registry hive files |
| Program uninstaller | Partial | Removes the application’s own Uninstall key but not NetworkList, Run keys, or SRUM mappings |
| reg delete | Partial | Can delete individual keys if run with SYSTEM privileges; leaves deleted key recoverable via carving |
| BleachBit | No | No module targets the SOFTWARE hive file |
| SDelete | No | Cannot access locked hive files |
| Network profile deletion (GUI) | Partial | Removes the profile from NetworkList but the Signatures key may persist; recoverable from VSS |
Network profiles in the SOFTWARE hive are almost never cleaned by adversaries or insiders. Even technically sophisticated users who clear browser history, delete files, and wipe event logs rarely think to remove NetworkList entries. These profiles prove the machine connected to specific Wi-Fi networks (by SSID), VPNs, and wired networks — with first-connected and last-connected timestamps accurate to the second.
MITRE ATT&CK Detection Mapping
The SOFTWARE hive provides evidentiary support for detecting the following MITRE ATT&CK techniques:
| Technique | Name | SOFTWARE Evidence |
|---|---|---|
T1518 T1518 | Software Discovery | Uninstall keys enumerate all installed software; attackers query this to identify security tools and targets |
T1082 T1082 | System Information Discovery | OS version, build number, registered owner, and installation date |
T1016 T1016 | System Network Configuration Discovery | NetworkList profiles, network signatures, DNS suffixes, and gateway MAC addresses |
T1547.001 T1547.001 | Boot or Logon Autostart: Registry Run Keys | Machine-level Run/RunOnce keys in SOFTWARE hive provide persistence for all users |
T1219 T1219 | Remote Access Software | Installation records for AnyDesk, TeamViewer, ScreenConnect in Uninstall keys |
T1562.001 T1562.001 | Impair Defenses: Disable or Modify Tools | Security software uninstall records; AV product registration changes |
Related Artifacts & Cross-References
| Artifact | Relationship to SOFTWARE | Cross-Correlation Value |
|---|---|---|
| SRUM.db | SOFTWARE provides the AppID mapping table that makes SRUM output readable | Essential pairing; always collect together |
| SYSTEM hive | Contains CurrentControlSet, services, Shimcache, and device history | Complementary system-level configuration; cross-reference timezone and service data |
| NTUSER.DAT | Per-user Run keys, MRU lists, and user-specific software settings | SOFTWARE has machine-level Run keys; NTUSER.DAT has per-user Run keys |
| Prefetch | Execution evidence for installed applications | Uninstall key shows software was installed; Prefetch proves it executed |
| Amcache.hve | Application execution and installation tracking | Amcache records SHA1 hashes and paths for executed programs; complements Uninstall data |
| Security.evtx | Network logon events correlate with NetworkList connection times | NetworkList shows network connection; Security.evtx shows authentication over that connection |
References
- Harlan Carvey, “RegRipper — SOFTWARE plugins” — https://github.com/keydet89/RegRipper3.0
- Eric Zimmerman, “Registry Explorer / RECmd” — https://ericzimmerman.github.io/
- SANS Institute, “Windows Forensic Analysis Poster” — https://www.sans.org/posters/windows-forensic-analysis/
- Microsoft, “Windows Registry Reference” — https://learn.microsoft.com
- 13Cubed, “Registry Forensics” — https://www.13cubed.com
- Willi Ballenthin, “python-registry” — https://github.com/williballenthin/python-registry
- Maxim Suhanov, “yarp — Yet Another Registry Parser” — https://github.com/msuhanov/yarp
- ForensicArtifacts.com, “Windows Registry Artifact Definitions” — https://github.com/ForensicArtifacts/artifacts
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in registry forensics, software inventory analysis, and network location reconstruction from SOFTWARE hive artifacts.
mjolnirsecurity.com — 24/7: +1 833 403 5875