Artifacts

Posts Tagged ‘CurrentControlSet’


CurrentControlSet (Windows)

Posted by:  /  Tags: , , , ,  /  Comments: 3

Author Name
Joe Garcia

Artifact Name
CurrentControlSet (Windows Registry)

Description
A Control Set contains system configuration information for a Windows Operating System. Windows maintains two Control Sets and knowing which one to focus on during your examination is critical. Knowing the CurrentControlSet will be important to gather information of evidentiary importance such as Computer Name, Time Zone information, Shutdown Times, and even what USB Devices connected to the system.

Once you have exported out the Registry Hive of the computer that you are examining, you can use MiTeC’s Windows Registry Analyzer or AccessData’s Registry Viewer to determine what the CurrentControlSet is. Use either of those programs to open the SYSTEM Hive. You will see the following once it is open:





Now navigate to the SYSTEM\Select key. It is here you will see 4 entries. Current, Default, Failed and LastKnownGood. Current is the CurrentControlSet used last boot up the system. Default usually matches the Current. Failed denotes which control set that was unable to successfully boot into the system and LastKnownGood is the control set that last successfully booted into the system.

Going back to your registry viewer of choice, find the Select key and highlight it:





In the example above, you will see Current has a value of 0x1 or (1). This means that the CurrentControlSet is ControlSet001. That means you must focus on ControlSet001 to gather the information that you are looking for during your examination. As you can see in the above screenshots, the Default value matches the Current value. Looking at the Failed entry, it shows a value of 0x0 which means that there was no failed boot ups. Finally, the LastKnownGood value shows 0x2 or (2), meaning that ControlSet002 previously booted into the system successfully.

Registry Keys
SYTEM\ControlSet001
SYSTEM\ControlSet002
SYSTEM\Select\Current
SYSTEM\Select\Default
SYSTEM\Select\Failed
SYSTEM\Select\LastKnownGood

Research Links
http://support.microsoft.com/kb/100010
http://technet.microsoft.com/en-us/library/cc783264%28WS.10%29.aspx

Forensic Programs of Use
MiTeC Windows Registry Analyzer (by Michal Mutl)- http://www.mitec.cz/Data/XML/data_downloads.xml (found under Registry/INI Tools)

AccessData Registry Viewer- www.accessdata.com/support/downloads