Finding Information in the Software Key

The information found in the Software key (HKLM\SOFTWARE) is located in a file named software, as shown in Figure 9-1. This file is found in the path %SystemRoot%\system32\config and should not be confused with the Software key found in the HKEY_CURRENT_USER key, abbreviated HKCU. The HKLM\SOFTWARE key contains software settings for the local machine, while HKCU\Software contains software settings that are user specific. Although both are important, our current focus is on the local machine software settings.

Figure 9-1: Location of the software hive file in the path %SystemRoot%\system32\config

Installed ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by

Finding Information in the Software Key

Installed ...

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly