Before you chase a single artifact, before you open a single log file, you need to answer a deceptively simple question:

Not in a philosophical sense. In a very practical one.

• What version of Windows is it running?

• How long has it been running?

• What's it called?

• What time zone does it think it's in?

These aren't glamorous questions, but getting them wrong — or skipping them entirely — will quietly poison the rest of your investigation.

Think of system configuration forensics as writing the opening chapter of a case file. You're establishing the scene before anything else happens.

---------------------------------------------------------------------------------------------------

Start Here: Operating System Version

The first registry key worth visiting on any Windows examination is:

SOFTWARE\Microsoft\Windows NT\CurrentVersion

This key is your quick snapshot of the current OS state — version, build number, and the timestamp of the most recent major update.

It's also where a very common misconception lives, so let's address it immediately: the InstallDate and InstallTime values here reflect the last major update, not necessarily the original installation of the operating system.

-------------------------------------------------------------------------------------------------------

Walking the Update History

The Source OS key is where the full story lives. Each time Windows goes through a major update or upgrade cycle, it stamps the previous state into a separate subkey here — preserving the version, build, and install time of that snapshot.

By iterating through every Source OS subkey and combining it with the CurrentVersion data, you can reconstruct the entire update biography of the machine.

• When was Windows first installed?

• What version?

• When was it upgraded?

• How many times?

One important caution: the timestamp embedded in each Source OS subkey name — the (Updated on...) part — does not reliably match the InstallDate or InstallTime values inside that key.

Standardize on InstallDate/InstallTime — they match what Windows' own systeminfo command reports, making cross-verification straightforward.

-------------------------------------------------------------------------------------------------------

Control Sets: Which Configuration Is Actually Active?

Here's a concept that confuses almost everyone the first time: the SYSTEM hive doesn't store its configuration data at a single fixed path.

A control set is essentially a complete snapshot of system configuration — drivers, services, boot settings, all of it. Historically, Windows kept multiple control sets as recovery backups. If a bad driver crashed the system, you could boot into the LastKnownGood control set and recover. Modern Windows (post-Win7) has largely moved away from keeping multiple copies, but the architecture remains — and several critical registry paths require you to know which control set is currently active before you can navigate to them.

-------------------------------------------------------------------------------------------------------

The Computer Name — Boring Until It Isn't

Recording the hostname feels almost too simple to mention. But skip it and you'll regret it.

If you're correlating a suspicious event across multiple log sources and you don't know what the machine is called, you'll spend time chasing ghosts.

The computer name lives at:

SYSTEM\<CurrentControlSet>\Control\ComputerName\ComputerName

Note that <CurrentControlSet> needs to be substituted with the actual control set you identified in the previous step — usually ControlSet001.

-------------------------------------------------------------------------------------------------------

Time Zones: The Silent Killer of Case Timelines

This is the part of system configuration forensics where experienced analysts get genuinely opinionated — and rightfully so.

NTFS file timestamps, registry Last Write Times, Event Logs — all UTC. This is excellent news because it means you can correlate artifacts across different systems and different geographic locations without any conversion math.

They're stored in local time.

• Antivirus logs are a notorious offender.

• Application logs from poorly-written software.

• Various third-party tools.

If you don't know what time zone the system was set to, you can't convert those outliers to UTC — and a misaligned timestamp in a timeline can send an entire investigation in the wrong direction.

-------------------------------------------------------------------------------------------------------

The Pro Tip You Shouldn't Skip

There's one piece of advice buried in this topic that's worth repeating in bold:

Seriously. Just do it as a standing policy. The danger isn't that you'll misread a single timestamp — it's that an event log viewer or artifact parser will silently convert times for you, and you'll never know it happened. You'll build a timeline that's off by exactly one time zone offset, and the resulting confusion will cost you hours at best, and a false conclusion at worst.

-------------------------------------------------------------------------------------------------------

Putting It Together: The System Configuration Checklist

These aren't standalone facts to collect and forget. They form a foundation that everything else in your investigation rests on.

• Get the OS version wrong and you'll misinterpret artifacts that changed behavior between builds. Miss a time zone and your entire timeline shifts.

• Skip the computer name and you'll spend time correlating logs from the wrong machine.

• Ignore the control set and you'll navigate to the wrong registry path and wonder why a key doesn't exist.

Do these steps first, document the results, and every subsequent phase of the investigation will be anchored to solid, verified facts. The unglamorous work always pays dividends later.

-----------------------------------------------Dean----------------------------------------------------

Full Series Below:

https://www.cyberengage.org/courses-1/mastering-windows-registry-forensics%3A