Registry hives live in RAM continuously — every process opens hive handles
on startup, and Windows caches active hives in non-paged pool. But the
older / colder portions of large hives (think SOFTWARE on a busy
server, or stale NTUSER.DAT of an idle user) do get paged out, and
that's where pagefile carving earns its keep: you can reconstruct deleted
or modified registry data that's no longer visible on disk.
The two signatures that matter
Windows registry hives are made of two block types, both 4 KB-aligned and both trivially carvable:
| Signature | Hex | What it is |
|---|---|---|
regf | 72 65 67 66 | Hive base block — the file header |
hbin | 68 62 69 6E | Hive bin — a 4 KB cell container |
A complete hive on disk starts with a single regf block (4 KB) followed
by a sequence of hbin blocks. In a pagefile, you almost never get the
sequence intact — what you do get is many isolated hbin blocks, each
representing a 4 KB chunk of registry data that was paged out from RAM.
The parser classifies each 4 KB page and tags regf / hbin
matches in the Page map tab. Click each one to see its absolute file
offset.
What survives in an isolated hbin
An hbin is a container for cells. Each cell is either:
- A key node (
nk) — has the key name, last-write time, parent reference, sub-key count. - A value entry (
vk) — name, type (REG_SZ,REG_DWORD,REG_BINARY, etc.), data offset. - A subkey list (
lf,lh,li,ri). - A security descriptor (
sk). - Big data for values larger than the cell size (
db). - The actual value bytes.
A single 4 KB hbin typically contains a few dozen cells. Even a stranded
bin can give you:
- The names and last-write times of keys that lived in that bin.
- The names and types of values, plus their data if the data was inline
(most
REG_SZandREG_DWORDvalues are). - Deleted cells: when a key or value is removed, the cell is marked free (high bit of the size flips) but its content is not zeroed. Live hive tools skip deleted cells; carvers can read them.
This is the main forensic prize — registry artifacts that no longer exist in the live hive.
Extracting cells from a carved hbin
You can't load a single hbin into Regedit or Registry Explorer directly
— they want a full regf-prefixed file. The workflow:
- Find
hbinpages in pagefile via this tool's Page map. - Note the absolute offsets, e.g.
0x12340000,0x12341000. ddthe bytes out:dd if=pagefile.sys of=hbin1.bin bs=1 skip=$((0x12340000)) count=4096- Either:
- Manually parse: the Microsoft Windows registry file format reference (libregf docs) is the canonical source.
- Prepend a synthetic
regfheader so a hive viewer accepts the file —yarp(Maxim Suhanov's Python registry parser) has helpers for this and is much more tolerant of corruption thanhivexshor Registry Explorer.
What to look for in carved hives
The keys most worth recovering from a pagefile:
SAM\Domains\Account\Users\…— RID, NT hash, account flags.SECURITY\Policy\Secrets\…— LSA secrets (machine account password, service account credentials, DPAPI master keys).SOFTWARE\Microsoft\Windows\CurrentVersion\Run/RunOnce— persistence entries.SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks— scheduled task GUIDs.SYSTEM\CurrentControlSet\Services\…— installed services, including malware that registered itself.NTUSER.DATSoftware\Microsoft\Windows\CurrentVersion\Explorer\RunMRU— recently typed Run dialog commands.NTUSER.DATSoftware\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths— Explorer address-bar history.UsrClass.datShellBags — folders the user opened, even ones since deleted.
A page-carved fragment of any of these is forensically meaningful even without the surrounding hive context.
Comparing with the live system
If you have both the pagefile and the live SOFTWARE / SYSTEM /
SAM / NTUSER.DAT hives from C:\Windows\System32\config\:
- Diff the carved fragments against the live hive — anything in the carved data that isn't in the live hive is deleted. That's the evidence.
- Use
yarp(orregipy) to walk both and emit a unified list of values.
Limitations specific to registry carving
- No transaction log replay: the live hive system uses
*.LOG1/*.LOG2files to make writes durable; in a paged-out fragment you might be seeing pre-commit state that the live hive has already overwritten. - Cell offsets are relative to the hive base: pointers from one cell to another (subkey list pointers, value lists) are useless without the full hive base block — you read the cells inline but can't navigate.
- Compressed pages: on Windows 10+, an
hbinmight be Xpress-Huffman compressed before being paged out. This tool flags such pages in the page map; manual decompression is a future feature.
Related reading
- How pagefile.sys forensics actually works — the underlying carving + signature catalog.
- Limitations of pagefile.sys analysis — why some pages don't carve cleanly.
- Finding credentials in pagefile.sys — many of which live in SAM / SECURITY hives.