System Info

System Info in Registry:

Hostname:

HKLM\SYSTEM\CurrentControlSet\Control\ComputerName
- Different ControlSet version could indicate past hostnames.

Build Info and Install Time:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Historical version updates:

HKLM\SYSTEM\Setup\Source OS

System Time Zone:

HKLM\SYSTEM\<CurrentControlSet>\Control\TimeZoneInformation

Network Interfaces:

Track network interfaces in use and their last settings. Shows both physical and virtual interfaces:

HKLM\SYSTEM\<CurrentControlSet>\Services\Tcpip\Parameters\Interfaces

Network Cards:

Track human readable names of network card GUIDs found in interfaces (physical cards only):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Connected Networks:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed (part of AD Domain)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged (outside of AD Domain)

Use ProfileGUID in previous key ^ to find first and last time connected to network (timezone stored in 128-bit systemtime - local time):

Network Names:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Application Settings:

Audit usage of microphone, webcam, location, and other application specific settings.(windows 64-bit filetime format)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore
NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore
- Nonpackaged = Non-Microsoft Apps

Shutdown Time:

When a system shutdown (64-bit filetime):

HKML\SYSTEM\<CurrentControlSet>\Control\Windows

PreviousForensics NextMemory

Last updated 1 year ago

hashtagSystem Info in Registry:

hashtagHostname:

hashtagBuild Info and Install Time:

hashtagHistorical version updates:

hashtagSystem Time Zone:

hashtagNetwork Interfaces:

hashtagNetwork Cards:

hashtagConnected Networks:

hashtagNetwork Names:

hashtagApplication Settings:

hashtagShutdown Time: