AccessData

Box SOFTWARE RSR FILES

 

All RSR Files

 

SOFTWARE – Installed Devices.rsr
• In Microsoft Vista, this displays USB drives attached to the system in individual subkeys by their Disk and Vendor name and Drive Identifier and by their volume name in the FriendlyName value associated with each subkey.
• HKLM\SOFTWARE \Microsoft\Windows Portable Devices\Devices\<drive>
• RSR File Hash: 05407ad44261cd045c0fe2dd4f7e9d61

 

SOFTWARE – Installed Software.rsr
• Documents software on the system that uses uninstall programs for removal. Essentially shows a list of installed software.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<software name>
• RSR File Hash: 77be182e7b10bc6bb8d07151d3606fe6

 

SOFTWARE – Last Logged On User.rsr
• In Windows Vista, recovers registry entries defining when the last logged on user logged off by user name with a date and time reference as the subkey is updated.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
• RSR File Hash: b03edeadbc7ac3b6ee475c8247bf2f60

 

SOFTWARE – Printers.rsr
• Displays information regarding printers configured to the system.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\<printer name>
• RSR File Hash: 8dcbd8470e013f5c6fc50c2a9dbe75eb

 

SOFTWARE – Profile List.rsr
• This key set lists each of the user file system profiles in either Documents and Settings (XP) or Users (Vista). This keyset is not created until a newly created user logs on for the first time.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfilesList\<user sid>
• RSR File Hash: 8f7f210cd0ff924b589184f48a446d5d

 

SOFTWARE – ReadyBoost.rsr (Vista)
• ReadyBoost in Vista allows the user to identify a USB as extra RAM. The ReadyBoost key set defines USB drives that have been attached to the system and identifies them by both their drive identifier and their volume name. Within the subkey that contains this information is potential info about the USB device if it was tested for use as extra memory.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\<disk&ven-driveID-Vol>
• RSR File Hash: e8e173028fefda6fe0fc40385b92c437

 

SOFTWARE – Startup Software.rsr
• Global startup software for any user who logs on is stored in the SOFTWARE file. For per user settings, see the NTUSER.DAT file. There are many other locations in the Registry in which startup software can be initiated during bootup or during startup of other utilities.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (RunServices)
• RSR File Hash: a08a814ea3f952890ff6bb5ab58faa3e

 

SOFTWARE – User and OS.rsr
• This keyset displays two types of information; installed operating system information and data entered by the user upon installation of the system.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
• RSR File Hash: 0a60fbd5f402f7284c13ca9b17d771bf

 

SOFTWARE – Vista Security Settings.rsr
• This RSR records the Vista Security settings for the User Access Control of the target system. It will also archive any captions added by the user for logon purposes.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System / EnableLUA (default is 1 = On, the value of 0 turns off the UAC)
• RSR File Hash: c1b059c9c6fa3fc9a7b9361aec79858e

 

SOFTWARE – Vista Wireless.rsr
• Vista wireless SSID connections are retrieved with this RSR and include the network profiles list which lists connections in wireless and the Signatures subkey that records managed and unmanaged connections.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles and Signatures
• RSR File Hash: 483c6b9e269cb217263171e6b5fd6d15

 

SOFTWARE – Winlogon.rsr
• The Winlogon RSR records information stored in the Winlogon subkey such as legal notices, cached logons count, and if enabled, autologon information like user name, domain name, and password used.
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• RSR File Hash: 557e7faaa097e266d4b9d4e0d682a734

 

SOFTWARE – XP Recycle Bin Settings.rsr
• The XP Recycle Bin settings captured include global settings and individual drive settings. Included values are: drive settings and volume serial number.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
• RSR File Hash: 81677ae1ac7cf7e8206ae571974ae5d1

 

SOFTWARE – XP Wireless Network Connections.rsr
• There are two potential XP locations for identifying SSID connections from the target system.Both list the SSID name of the connection, however little other information is available. WZCSVC is written to if using the built in Windows wireless service. EAPOL is used if using the Extensible Authentication Protocol for connection. If other wireless systems are used, information may or may not be available in the Registry.
• HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\<guid> / Static#000n
• HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\<guid> / n
• RSR File Hash: 2eb1bc41b682e2fc8094823db159bb5b