top of page
Search

Windows Registry: A Forensic Goldmine for Installed Applications

  • Feb 20, 2025
  • 4 min read

Updated: Mar 26


Every piece of software that's ever touched a Windows machine leaves a mark. Sometimes it's a small one. Sometimes it's scattered across half a dozen registry locations simultaneously. Either way, the registry keeps receipts — and for a forensic analyst, that paper trail can answer questions that no other artifact can.


  1. Was a privacy-wiping tool installed before the investigation started?

  2. Did a remote access application appear on the system the same week data went missing?

  3. Is there evidence of hacking tools that were later uninstalled but not fully cleaned up?

The registry knows. You just have to know where to look.


-------------------------------------------------------------------------------------------------------

Why There's No Single "Installed Apps" Key

The first thing to understand about application auditing in the registry is that there's no one magic location.

Applications are tracked in multiple places depending on

  • how they were installed

  • who they were installed for

  • whether they were 32-bit or 64-bit.

Miss any of these locations and your audit is incomplete.



-------------------------------------------------------------------------------------------------------

The Uninstall Keys: Your First Stop

The Uninstall keys are the best starting point for any application audit. Each installed application gets its own subkey, named either by its MSI product code GUID (if it has one) or just by its application name.


Inside each subkey, you'll find a consistent set of values that cover the basics:

  • Application name and version

  • Software publisher

  • File size and install location on disk

  • Install date (date only — no time component)


That last point is worth emphasizing. InstallDate stores only a calendar date, not a time.

If you need more precision, you'll need to lean on the registry Last Write Time of the subkey — which is sometimes accurate, but comes with its own set of caveats we'll get to in a moment.

One field that often goes underappreciated is the UninstallString. This contains the exact command Windows would run to remove the application.

If you see MsiExec.exe /I{GUID} in there, that GUID is your new best friend.

It's a globally unique product code specific to that exact version of that software — plug it into a registry search, or even a web search, and you'll often find corroborating data quickly.


-------------------------------------------------------------------------------------------------------

The Timestamp Problem Nobody Warns You About

This is where application forensics gets genuinely tricky — and where experienced analysts earn their credibility.


The InstallDate value and the subkey's Last Write Time should ideally tell you the same thing: when this application arrived on the system. Often they do. But there's a specific scenario that silently destroys the reliability of Last Write Times across huge swaths of this key, and it's one you need to watch for.



-------------------------------------------------------------------------------------------------------

MSI Package Codes: The Hidden Cross-Reference

If you see an UninstallString that contains MsiExec.exe /I{GUID} — stop and write that GUID down. This is the MSI product code, and it's a forensic thread worth pulling.


That GUID is specific to one exact version of one specific application. It appears in the Uninstall key, but it also shows up in the Products key under 


SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\<SID>\Products — organized by user SID

The Registry Explorer Products plugin aggregates all of these entries into a single table, letting you see MSI-installed applications organized by which user account installed them.


The GUID is also specific enough that a basic web search will usually tell you exactly what product and version you're looking at. Useful when you find an application that's been renamed or when an installer name isn't immediately recognizable.


-------------------------------------------------------------------------------------------------------------

Modern Apps: The UWP Complication

Traditional desktop applications and the newer Universal Windows Platform apps — those installed from the Microsoft Store — play by different rules and need a different starting point.

UWP app data is spread across multiple filesystem and registry locations. In the registry, 


SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore 

is the place to begin. Subkeys here cover both native Windows system applications and those installed for specific users, giving you a reasonable inventory of modern Store-based applications alongside your traditional desktop software audit.


-------------------------------------------------------------------------------------------------------------

The Keyword Search You Should Always Run

Here's the thing about installed application forensics: the Uninstall keys are a starting point, not a complete picture. Applications leave traces all over the registry — their own configuration keys, MRU lists specific to that application, crash reporting entries, usage statistics, update records, and more. And some of this data persists even after the application has been uninstalled.



-------------------------------------------------------------------------------------------------------------

The Uninstalled App Problem

Here's the scenario that makes application forensics genuinely interesting from an investigative standpoint:


Someone installs a hacking tool, uses it, then uninstalls it and empties the Recycle Bin for good measure. They think they've cleaned up.

They haven't.

The Uninstall key entry is gone. But the application's own configuration keys?

Often still there — especially if the uninstaller was sloppy about cleanup, which many are. Any files the application created? Potentially still on disk in unallocated space. And critically, any registry keys the application wrote for its own use — MRU lists, settings, license information — may persist in unallocated registry space, waiting to be found by a tool like Registry Explorer that specifically surfaces deleted registry structures.

The absence of an entry in the Uninstall keys doesn't mean the application was never there. It means someone tried to remove it. And trying to remove something is itself a data point worth noting.

-------------------------------------------------------------------------------------------------------------

The Practical Takeaway

Application auditing is one of those forensic tasks that rewards methodical coverage.

  • Skip the WOW6432Node keys and you'll miss a surprising number of 32-bit applications that are still extremely common.

  • Skip the NTUSER hives and you'll miss user-specific installations entirely. Rely solely on Last Write Times without checking for mass patch events and you'll build a timeline that's subtly wrong in ways that are very hard to catch.



The registry has the receipts. Your job is to find all of them.

----------------------------------------Dean-------------------------------------------------------------


Full series Here:

 
 
 

Comments

CYBERENGAGE

Ready to discuss:

- Schedule a call for a consultation

- Message me via "Let's Chat" for quick questions

Let's connect!

Subscribe to our newsletter

Connect With Me:

  • LinkedIn
  • Medium

© 2023 by Cyberengage. All rights reserved.

bottom of page