Forensic value with registry keys

Registry editor is five root keys have different functions; the subkeys under them have different functions as well. Below table list the keys filtered from every subkey that has forensic value under the five root keys.

Keys with Forensic value

Key	Description
Software
HKEY_LOCAL_MACHINE|SOFTWARE\Microsoft\Windows\CurrentVersion\Program Path	Install Apps
HKEY_LOCAL_MACHINE|SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	Uninstall Apps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList	SID Profiles
HKLM\SOFTWARE\MICROSOFT\WindowsNT\CurrentVersion\SystemRestore	Restore Points
HKLM\SOFTWARE\Classes	Class Registration and
	Files Association
HKCU\Software\Classes	Per-user settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32	Most Currently Used Files
KHCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU	MRU order
HKCU\SOFTWARE\Microsoft\Search Assistant\ACMru	Recently Search
HKLM\Software\Microsoft\Command Processor	AutoRun
KHCU\Software\Microsoft\Protected Storage System Provider	Windows Protected Storage
HKLM\System\CurrentControlSet\Services\Tcpiip\Parameters\interfaces	IP
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon	Last Logon Users
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32	Last Visited MRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU	Open and Save of
	Recent Files
HKCU\Software\Microsoft\Windows\SearchAssistant\ACMru	Files and words searched
Hardware
HKLM\SYSTEM\CurrentControlSet\HardwareProfile\XXXX	Current Hardware
	Settings
HKLM\SYSTEM\MountedDevices	Mounted devices
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR	USB Devices
Network
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\GUID	IP Address and
	Gateway
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MapNetworkDriveMRU	Mapped Network
	Devices