System Info

System Info in Registry:

Hostname:

• HKLM\SYSTEM\CurrentControlSet\Control\ComputerName

  • Different ControlSet version could indicate past hostnames.

Build Info and Install Time:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Historical version updates:

• HKLM\SYSTEM\Setup\Source OS

System Time Zone:

• HKLM\SYSTEM\<CurrentControlSet>\Control\TimeZoneInformation

Network Interfaces:

Track network interfaces in use and their last settings. Shows both physical and virtual interfaces:

• HKLM\SYSTEM\<CurrentControlSet>\Services\Tcpip\Parameters\Interfaces

More details into network interface.

Network Cards:

Track human readable names of network card GUIDs found in interfaces (physical cards only):

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Connected Networks:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed (part of AD Domain)

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged (outside of AD Domain)

Use ProfileGUID in previous key ^ to find first and last time connected to network (timezone stored in 128-bit systemtime - local time):

Network Names:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Application Settings:

Audit usage of microphone, webcam, location, and other application specific settings.(windows 64-bit filetime format)

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore

• NTUSER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore

  • Nonpackaged = Non-Microsoft Apps

Shutdown Time:

When a system shutdown (64-bit filetime):

• HKML\SYSTEM\<CurrentControlSet>\Control\Windows