NTUSER.DAT

1. Introduction to NTUSER.DAT

What is NTUSER.DAT?

• NTUSER.DAT is a user-specific registry hive that stores configuration info, application settings, and user behavior artifacts.

• It acts as a snapshot of a user’s environment and activity.

File Location & Lifecycle:

• Located at C:\Users\[Username]\NTUSER.DAT for standard user accounts.

• For service accounts (e.g., Local Service, Network Service), at C:\Windows\ServiceProfiles\*\NTUSER.DAT.

• On logon, Windows loads it into memory and maps it to HKEY_USERS\{SID}.

• At logoff or shutdown, it's unloaded and written back to disk.

• In MSIX-based applications, there can be app-specific hives: under %localappdata%\Packages\<APPID>\SystemAppData\Helium\User.dat.

Why It Matters for Forensics:

• Reveals which programs the user ran, the frequency, and when.

• Tracks files accessed, user interactions with GUI, recent documents, typed paths.

• Helps identify persistence (malware) via Run / RunOnce keys.

• Includes timestamps that can be correlated with Prefetch, event logs, and other sources to build a timeline.

• Because it's user-specific (HKCU), it gives context about which user did what, distinguishing from system-wide activity.

• Shows user intent: typed paths, open/save history, etc., which can be powerful in investigations.

---

2. Key Artifacts & Registry Locations

Here are the main NTUSER.DAT artifacts that are useful in forensic investigations:

Artifact	Registry Location	Purpose	Important Notes
UserAssist	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist	Shows evidence of execution of .lnk or GUI PE files; includes run count, last run time, focus time.	On Windows 10+, there may be entries without real execution; must interpret carefully.
RunMRU	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU	Records up to ~26 recent commands typed in the "Run" dialog.	Doesn’t always guarantee execution could just be text typed.
LastVisitedMRU	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU	Tracks directories opened via “Open/Save” dialogs, per application.	Only reflects access through dialog, not all file accesses.
OpenSaveMRU	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU	Records most recently accessed files per extension via Open/Save dialogs.	Important to check app-specific hives too.
RecentDocs	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs	List of recently accessed documents / files.	Subkeys by extension; MRU order + last accessed time.
OfficeMRU	NTUSER.DAT\Software\Microsoft\Office\…\File MRU (and User MRU for Office 365)	Files recently opened in Office apps (Word, Excel, PowerPoint).	Includes paths, last opened times, and can tie to user accounts.
ShellBags	NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU & …\Bags	Shows folder structures accessed by user, including via network shares.	In NTUSER.DAT, limited mostly to network (UNC) folders.
WordWheelQuery	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery	Stores search terms used in the Explorer search box by the user.	Has MRU order + timestamp of the most recent search.
TypedPaths	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths	Paths typed by the user in File Explorer's address bar.	Paths are resolved (variables, shortcuts) and stored as full paths.
Run / RunOnce Keys	HKCU\Software\Microsoft\Windows\CurrentVersion\Run and …\RunOnce	Programs configured to run when the user logs on, often used for persistence.	Common persistence area for malware.
MountPoints2	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2	Shows USB devices or network shares the user has mounted.	Contains volume GUIDs, share paths, etc.
Terminal Server Client (RDP)	NTUSER.DAT\Software\Microsoft\Terminal Server Client\Servers	Records RDP connections made by the user (hostname, username, MRU).	Has MRU, host info, and user hints.
Installed Apps (User-Specific)	NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Uninstall	Lists applications installed only for that user (not system-wide).	Useful to see software in user context.

Other artifacts may exist depending on specific applications (e.g., RMM tools, exfil tools). Useful tools for registry artifact analysis: RegSeek, RegRipper4, RECmd, etc.

---

3. Methods for Parsing NTUSER.DAT

There are two main approaches to extract data from NTUSER.DAT:

1. Via the Running System / API

• Advantages: Easy to do if the system is live, no need to extract the hive manually.

• Disadvantages: The system could be tampered with (e.g., API hooking by malware).

• Tools that rely on this method require a live system.

2. Offline / External Parsing (Hive Parsing)

• Advantages: More reliable, doesn’t depend on a running system; avoids API manipulation.

• Disadvantages: Must deal with transaction logs to not miss uncommitted registry changes.

• Tools:

  • Regripper - command-line plugin-based registry parser.

  • Registry Explorer - GUI, with bookmarks for common artifacts.

  • RECmd / RLA - can parse registry and replay transaction logs.

  • Autopsy - open-source DFIR platform; has modules for registry.

Reference:

NTUSER.DAT Forensics Analysis 2025Cyber Triage