The Registry Hives You May be MSIX-ING: Registry Redirection with MS MSIX
MSIX is a Windows app package format designed for Windows 10+ that supports desktop, mobile and other Windows 10+ devices.
According to Microsoft, MSIX allows developers to utilize new, modern packaging while providing reliability, network bandwidth optimization and disk space optimization.1
One of the features of MSIX applications is registry redirections. This is where “all registry operations are redirected into special per-app registry hives…and at runtime these hives are virtually merged with the OS registry allowing the app to “see” the full registry as a single unit.”2
The per-app registry files are named Registry.dat, Usr.dat and UsrClasses.dat and they are stored under %localappdata%\Packages<APPID>\SystemAppData\Helium
What Does This Mean for Us from a Digital Forensics and Incident Response Perspective?
Apps utilizing the MSIX app package format keep a separate set of registry files that they write data to instead of the traditional registry hives we normally look at in forensics. If you are not looking at these application specific registry hives, you may be missing data such as files and folders opened or accessed.
What Applications Utilize This Format?
A quick look at a Windows 11 system located 15 applications that had per-app registry files to include DropBox, Teams and Paint. As an example of what you can find in these app specific registry hives, we will walk through an application – Windows Notepad.
While performing incident response investigations, we’ve observed Notepad being used to open output files such as password dumps or network scanning output files. Notepad can quickly and easily open commonly created plain text files created by many malware and reconnaissance tools.
The location of the app specific registry hives for Notepad were located under the following path on Windows 11:
C:\Users\User\AppData\Local\Packages\
Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium.
Two registry hives were located: User.dat and UserClasses.dat:
Registry hives located in the MSIX application directory
These registry hives do not appear to have all the keys and subkeys of a full registry file. Instead, they appear to have a smaller subset of registry keys pertaining to the specific app.
Per-App User.dat hive
First, we will start with the per-app User.dat file. Opening this file with Registry Explorer reveals some interesting entries. In this registry hive, we have the ComDlg32 registry key, which contains two subkeys of interest, the OpenSavePIDMru and the LastVistedPIDMru. For this example, we are going to focus on the OpenSavePIDMru.
The OpenSavePIDMru is a forensic artifact that stores files that have been opened or saved with the Windows Common Dialog box. For a more in-depth review of this artifact, please see this writeup by SANS instructor Chad Tilbury.
Reviewing this app specific registry key for the Notepad application reveals 34 documents opened/saved using Notepad all with the .txt file extension:
Files opened/saved with the Notepad app stored in the per-app User.dat hive
In comparison, this users NTUSER.dat hive OpenSavePIDMru registry key contains none of the entries:
User’s NTUSER.DAT hive with no .txt files
This follows what the documentation on MSIX application stated – that the application will write per-user entries to the corresponding per-app registry hives.
Additional testing was conducted related to the Notepad per-app registry key OpenSavePidMru. A file named ipaddresses.txt was opened with a third party text editor called Notepad++. As expected, entries were made in the user’s NTUSER.DAT hive OpenSavePIDMru key. A second text file named pwdump.txt was opened only with the Windows Notepad application. Entries for the pwdump.txt file were located in the per-application User.dat hive OpenSavePIDMru key, but NOT in the NTUSER.DAT hive.
pwdump.txt file not recorded in the NTUSER.DAT hive
pwdump.txt file recorded in the Notepad app specific User.dat hive
Per-app UserClasses.dat hive
An important artifact leveraged in many investigations is commonly referred to as ShellBags. ShellBags can be used to help determine what folders a user accessed or interacted with in the past. Normally, an examiner will look at two registry hives for this – the NTUSER.DAT hive and the UserClass.dat hive.
As noted above, one of the per-application registry hives created is the UsrClasses.dat hive. This hive appears to contain folders traversed into by the application that are NOT stored in the ShellBags of the NTUSER.DAT hive and UsrClass.dat hive
A test was conducted where a USB thumb drive was plugged into a test system. Using Notepad, a file under D:\TestFolder1\TestFolder2 was opened. A search was conducted for “TestFolder1” and “TestFolder2” within both the NTUSER.DAT hive, and the UsrClass.dat hive. Although hits were found in the recent documents key, no hits were found in the ShellBags key.
Folders traversed to with Notepad application not in NTUSER.DAT hive and USRCLASS.dat hive
However, both folders were located in the Notepad per-app UserClasses.dat registry hive:
TestFolder1 located in UserClasses.dat hive
TestFolder1 located in UserClasses.dat hive
Conclusion
Traditionally in forensics, there has been a focus on the System, Software and User registry hives. With the introduction of MSIX in Windows 10+, applications can write to application specific registry hives that may contain unique forensic information that may not be located in other Windows registry hives. This was just an example of some of the registry keys located - there are more to be found. In addition, these registry hives have been located in Volume Shadow Copies which may provide rich historical artifacts to review. These application specific registry hives should be considered for future digital forensics and incident response engagements to avoid missing potentially valuable forensic information.