Any differences between xp and vista registry?

Nov 3, 2005
Hello everyone,
I'm new here and really like what I see. This seems to be an active and informative forum.

I'm currently doing a research paper on a forensic analysis of the windows registry and in it I would like to include any differences between an xp registry and a vista registry...

Does anyone know if there are any substantial differences that are worth mentioning?

Thanks in advance!

D. Farmer


New Member
Feb 27, 2007
Bit locker

This link might be of inerest to you as far as getting to the drive<br/>
Also Microsoft has changed how the SAM file and SYSKEY work in Vista alot of the old cracking tools haven't caught up yet. I think orphcrack has an update,,,and Cain & Able4.5</t>
Nov 3, 2005
Hmm.. let me be more specific.

I understand the new features between the two operating systems...

I'm just wondering if anyone knows of any substantial differences within the vista registry opposed to the xp registry. At first glance through regedit they both look very similiar and seem to be compromised of all the same keys. I'm wondering of the differences in terms of additional MRU lists, passwords, USB artifacts, email clients, web browsers, instant messaging clients, p2p clients.. etc, etc.

When examining the registry does anyone know of any differences that perhaps would make an investigation on a vista machine more or less difficult?

I'm currently a senior at champlain college and am doing my senior seminar research paper on what types of evidence can be found in the system registry... It's pretty amazing..

Any help is greatly appreciated! Again, Thanks in advance.

D. Farmer
Sep 2, 2004
My upcoming book has an entire chapter on Registry analysis... Troy Larson of MS described that chapter as "worth the price of the book".

If there's anything I can do to help, drop me a line at keydet89 at yahoo dot com.

Nov 3, 2005
Hi Keydet,
Actually, at a presentation just recently I spoke with an agent of the U.S Secret Services who mostly does computer forensic work. I asked him of the differences between the vista registry and the previous Microsoft Registries and he told me to research about the "virtual SAM box"... I guess Vista has done a new thing in the registry which will make it easier for forensic specialists and it has to do with logging user information password hashes..

I may have misunderstood him, but do you know anything about this Keydet?

The only thing I could find on SAM is this...

Thanks in advance!



New Member
Jul 18, 2006
As I understand it, it's a workaround so that non-admin users can install limited software, Active-X, etc. Since they can't update the "real" SAM, they are given a virtual one to update. Same for program files. Another user on the same machine has to re-install the same elements in their own virtual SAM as well.

I'm sure there's more than just this that we'll learn over time. My guess is it makes our job harder since we now that the user virtualization in addition to everything else.


About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu