The SYSTEM registry hive is the most densely packed forensic artifact in the Windows registry. It records every service installed, every USB device connected, every network adapter configured, and — through Shimcache and BAM/DAM — evidence of program execution that persists long after the executable has been deleted. For incident responders, the SYSTEM hive is the first artifact opened after the $MFT.
What Is the SYSTEM Hive?
The SYSTEM hive is one of five core registry hive files loaded at boot by the Windows kernel. It resides at C:\Windows\System32\config\SYSTEM and is mapped to HKEY_LOCAL_MACHINE\SYSTEM in the live registry. Unlike the SOFTWARE hive (which stores application and OS settings) or the SAM hive (which stores user account data), the SYSTEM hive is dedicated to hardware abstraction, driver configuration, and service management.
The hive is organized around ControlSets — numbered configuration profiles (ControlSet001, ControlSet002, etc.) that represent complete system configurations. The Select key at the root of the SYSTEM hive contains four DWORD values (Current, Default, Failed, LastKnownGood) that indicate which ControlSet is active. The CurrentControlSet symbolic link redirects to whichever ControlSet the Select\Current value points to — on a live system this is transparent, but on a forensic image you must check the Select key to determine which ControlSet was in use.
The forensic value of the SYSTEM hive is extraordinary: it contains execution evidence (Shimcache, BAM/DAM), device connection history (USBSTOR, MountedDevices), network configuration (TCP/IP parameters, interface names), service persistence mechanisms (malicious services), computer identity (ComputerName, TimeZoneInformation), and boot configuration data. Many of these artifacts persist across reboots and survive application uninstall.
The Select\Current value tells you which ControlSet was active at the time the system was last running. On a forensic image, always check this value first. If Current = 1, then ControlSet001 was the active configuration. Analyzing the wrong ControlSet means analyzing a potentially outdated or never-used configuration.
Location & Format
File Paths
| File | Path | Notes |
|---|---|---|
| SYSTEM | C:\Windows\System32\config\SYSTEM | Primary hive file; locked by OS on live system |
| SYSTEM.LOG1/LOG2 | C:\Windows\System32\config\SYSTEM.LOG1 | Transaction logs; contain uncommitted changes (dirty hive recovery) |
| RegBack copies | C:\Windows\System32\config\RegBack\SYSTEM | Periodic backup (disabled by default in Windows 10 1803+) |
Hive Format
The SYSTEM hive uses the Windows NT Registry Hive format — a binary file structure with a 4 KB header (containing the regf signature), followed by bins (hbin containers) that hold key nodes (nk records), value nodes (vk records), and data cells. Transaction logs use the same format with a write-ahead logging model. If the hive was not cleanly unmounted (e.g., sudden power loss), replaying the transaction logs recovers uncommitted changes. Tools like Registry Explorer and RegRipper handle dirty hive recovery automatically.
CurrentControlSet & the Select Key
The Select key is the first thing to examine in any SYSTEM hive analysis. It sits at SYSTEM\Select and contains four values:
| Value | Type | Meaning |
|---|---|---|
Current | REG_DWORD | ControlSet number that was active when the system was last running |
Default | REG_DWORD | ControlSet that will be used on next normal boot |
Failed | REG_DWORD | ControlSet that failed during the last boot attempt (0 if none) |
LastKnownGood | REG_DWORD | ControlSet saved after the last successful user login |
; Example: SYSTEM\Select Current = 0x00000001 ; ControlSet001 was active Default = 0x00000001 Failed = 0x00000000 ; No failed boot LastKnownGood = 0x00000002 ; ControlSet002 is LKG
What It Reveals
The SYSTEM hive answers a wide range of investigative questions through its subkeys:
- ComputerName —
ControlSet001\Control\ComputerName\ComputerNamestores the NetBIOS computer name. Critical for attribution in multi-host investigations. - TimeZoneInformation —
ControlSet001\Control\TimeZoneInformationrecords the configured time zone,ActiveTimeBias, and DST settings. Essential for timestamp normalization across evidence sources. - Services —
ControlSet001\Services\contains every installed service and driver, including start type, binary path, and dependencies. Malicious services installed for persistence appear here. - USBSTOR —
ControlSet001\Enum\USBSTOR\records every USB mass storage device ever connected, including vendor ID, product ID, serial number, and first/last connection timestamps. - Shimcache (AppCompatCache) —
ControlSet001\Control\Session Manager\AppCompatCacherecords file paths and last-modification timestamps for executables the OS evaluated for compatibility shims. Proves a file existed on disk even if it has been deleted. - BAM/DAM —
SYSTEM\ControlSet001\Services\bam\State\UserSettings\{SID}(Windows 10 1709+) records the last execution time of programs per user SID. Background Activity Moderator data provides precise execution timestamps. - MountedDevices —
SYSTEM\MountedDevicesmaps drive letters and volume GUIDs to physical device signatures and partition offsets. - Network Interfaces —
ControlSet001\Services\Tcpip\Parameters\Interfaces\{GUID}stores IP addresses, subnet masks, default gateways, DHCP servers, and lease timestamps for each network adapter. - Network Profiles —
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList(cross-ref) combined with SYSTEM interface data reveals Wi-Fi SSIDs, connection dates, and network types.
Forensic Use Cases
1. Malicious Service Persistence
A ransomware operator installs a service named WindowsUpdateSvc with ImagePath pointing to C:\ProgramData\svc.exe and Start set to 2 (auto-start). The SYSTEM hive preserves this service entry even after the executable is deleted. The ObjectName value reveals the service ran under LocalSystem. Cross-referencing the service creation timestamp with Security.evtx Event ID 7045 provides the exact installation time.
2. USB Device Timeline
An insider threat investigation requires proving that a specific USB drive was connected during the data exfiltration window. The USBSTOR key under ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Ultra&Rev_1.00\4C530001280812116284 provides the device serial number. The subkey timestamps (first connection) combined with MountedDevices (drive letter assignment) and SYSTEM\MountPoints2 in the user’s NTUSER.DAT (user-level mount) create a complete USB connection timeline.
3. Shimcache Execution Evidence
The attacker deleted their tools from C:\Windows\Temp\ after the operation. Shimcache in the SYSTEM hive retains entries showing C:\Windows\Temp\mimikatz.exe with a last-modified timestamp, proving the file existed on disk. While Shimcache does not definitively prove execution (only that the OS evaluated the file for compatibility), the combination of Shimcache presence + Prefetch entry + Amcache hash creates a dispositive execution proof.
4. BAM/DAM Execution Timestamps
BAM (Background Activity Moderator) data provides per-user execution timestamps with second-level precision. When an investigator finds SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-...-1001 containing an entry for \Device\HarddiskVolume3\Users\jdoe\Downloads\nc.exe with a FILETIME value, this proves user jdoe executed nc.exe at that exact timestamp. BAM data is particularly valuable because it survives Prefetch deletion.
5. Network Configuration and DHCP Attribution
The network interface keys store DHCP lease information including DhcpIPAddress, DhcpServer, LeaseObtainedTime, and LeaseTerminatesTime. This proves which IP address the machine held at a specific time — critical for correlating network flow data and firewall logs with endpoint activity. The NameServer value reveals configured DNS servers, which may indicate VPN usage or DNS hijacking.
Acquisition Methods
The SYSTEM hive is locked by the OS kernel on a live system. Direct file copy will fail. Use Volume Shadow Copy, KAPE, reg save, or a forensic imaging tool. Always collect the transaction logs (SYSTEM.LOG1, SYSTEM.LOG2) alongside the hive for dirty-shutdown recovery.
:: Save SYSTEM hive from live system using reg.exe reg save HKLM\SYSTEM C:\Evidence\SYSTEM /y :: Using KAPE kape.exe --tsource C: --tdest C:\Evidence --target RegistryHives :: Using Volume Shadow Copy vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SYSTEM C:\Evidence\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SYSTEM.LOG1 C:\Evidence\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SYSTEM.LOG2 C:\Evidence\
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy SYSTEM hive and transaction logs cp /mnt/evidence/Windows/System32/config/SYSTEM /analysis/registry/ cp /mnt/evidence/Windows/System32/config/SYSTEM.LOG* /analysis/registry/
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| Registry Explorer | Eric Zimmerman | Free | GUI + export | Best GUI tool; handles dirty hive recovery; bookmark support for forensic keys |
| RegRipper | Harlan Carvey | Open source (Perl) | Text/TLN | Plugin-based; rip.pl -r SYSTEM -p compname extracts ComputerName instantly |
| AppCompatCacheParser | Eric Zimmerman | Free | CSV | Dedicated Shimcache parser; extracts all entries with timestamps and positions |
| RECmd | Eric Zimmerman | Free | CSV | Command-line registry parser; batch processing with batch files |
| python-registry | Willi Ballenthin | Open source (Python) | Programmatic | Python library for custom registry parsing scripts |
RegRipper Quick Extractions
# Extract computer name rip.pl -r /analysis/registry/SYSTEM -p compname # Extract timezone information rip.pl -r /analysis/registry/SYSTEM -p timezone # Extract all services rip.pl -r /analysis/registry/SYSTEM -p services # Extract USBSTOR entries rip.pl -r /analysis/registry/SYSTEM -p usbstor # Extract Shimcache AppCompatCacheParser.exe -f /analysis/registry/SYSTEM --csv /analysis/output/ # Extract BAM data rip.pl -r /analysis/registry/SYSTEM -p bam
Retention & Persistence
| Sub-Artifact | Retention | Notes |
|---|---|---|
| Services | Permanent until manually deleted | Service entries persist even after the service binary is removed |
| USBSTOR | Permanent | Device entries are never automatically purged; persist for the life of the OS install |
| Shimcache | ~1,024 entries (FIFO) | Rolling buffer; oldest entries evicted when new entries are added. Written to registry on clean shutdown only. |
| BAM/DAM | ~7 days rolling | Entries older than 7 days are automatically purged by the BAM service |
| MountedDevices | Permanent | Drive letter mappings persist until explicitly removed |
| Network Interfaces | Permanent per adapter | DHCP lease data updated on each lease renewal; historical data overwritten |
| ComputerName | Permanent | Changed only by explicit rename operation |
| TimeZone | Permanent | Changed only by explicit user or GPO modification |
Shimcache data is maintained in memory and only written to the registry during a clean shutdown (or hibernate). On a system that crashed or was forcibly powered off, the on-disk Shimcache may be stale. Always check whether the system was cleanly shut down (Event ID 1074 in System.evtx) to assess Shimcache currency.
Anti-Forensics Resilience
| Tool / Technique | Affects SYSTEM Hive? | Details |
|---|---|---|
| CCleaner | No | Does not modify SYSTEM hive; only targets user-level artifacts |
| Registry cleaners | Minimal | May remove orphaned keys but do not target forensic artifacts like Shimcache or USBSTOR |
| Manual key deletion | Possible | Requires admin privileges; detectable via transaction log analysis showing deletion operations |
| Shimcache clearing | Possible | Deleting the AppCompatCache value requires admin; detectable via last-write timestamp on the parent key |
| Service deletion | Yes | sc delete <name> removes the service key, but transaction logs may retain the deleted data |
| USBSTOR clearing | Rare | Requires targeted registry editing; most adversaries do not know to clear this artifact |
Even when an adversary deletes a registry key, the transaction logs (SYSTEM.LOG1, SYSTEM.LOG2) may still contain the deleted data if they have not been overwritten. Tools like Registry Explorer can replay transaction logs to recover deleted keys. Additionally, the deleted key space in the hive file itself may contain recoverable data until the space is reallocated — yarp and Registry Explorer can carve deleted entries.
MITRE ATT&CK Detection Mapping
| Technique | Name | SYSTEM Hive Evidence |
|---|---|---|
T1543.003 T1543.003 | Create or Modify System Process: Windows Service | Malicious service entries under ControlSet001\Services\ with suspicious ImagePath values |
T1547.001 T1547.001 | Boot or Logon Autostart Execution | Service Start value set to 2 (auto) or 0 (boot) for persistence |
T1025 T1025 | Data from Removable Media | USBSTOR entries documenting USB device connections during the incident timeframe |
T1059 T1059 | Command and Scripting Interpreter | Shimcache entries for cmd.exe, powershell.exe, wscript.exe from unusual paths |
T1070.004 T1070.004 | Indicator Removal: File Deletion | Shimcache proves a deleted file existed; BAM/DAM proves it was executed by a specific user |
T1014 T1014 | Rootkit | Suspicious kernel-mode driver entries under Services with Type = 1 (kernel driver) |
Related Artifacts & Cross-References
| Artifact | Relationship to SYSTEM Hive | Cross-Correlation Value |
|---|---|---|
| SOFTWARE Hive | Stores application settings, NetworkList profiles, Amcache, uninstall entries | NetworkList SSIDs + SYSTEM interface data = complete network history |
| SAM Hive | User account data; requires SYSTEM hive boot key (SYSKEY) for decryption | SAM passwords cannot be extracted without the SYSTEM hive boot key |
| NTUSER.DAT | Per-user settings; MountPoints2 shows user-level USB mount events | USBSTOR (system) + MountPoints2 (user) = device-to-user attribution |
| Amcache.hve | SHA1 hashes and full paths for executed binaries | Shimcache shows the file existed; Amcache provides its hash for malware identification |
| Prefetch | Execution count and timestamps for .pf files | Shimcache + Prefetch + BAM = three independent execution proofs |
| Security.evtx | Event IDs 7045 (service install), 4697 (service install audit) | Service creation timestamp from event log confirms SYSTEM hive service entry |
References
- Eric Zimmerman, “Registry Explorer / RECmd” — https://ericzimmerman.github.io/
- Harlan Carvey, “RegRipper — Registry Analysis Tool” — https://github.com/keydet89/RegRipper3.0
- SANS Institute, “Windows Forensic Analysis Poster” — https://www.sans.org/posters/
- Microsoft, “Registry Hive Structure” — https://learn.microsoft.com
- Andrea Fortuna, “Shimcache Analysis in Forensic Investigations” — https://andreafortuna.org
- 13Cubed, “BAM — Background Activity Moderator” — https://www.13cubed.com
- Willi Ballenthin, “python-registry” — https://github.com/williballenthin/python-registry
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in registry analysis, Shimcache reconstruction, and service persistence investigation.
mjolnirsecurity.com — 24/7: +1 833 403 5875