Files

PS C:\> Get-ChildItem -Path 'C:\Share\file.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

File

Explanation

C:\Windows\System32\config\SAM

Stores user account information.

C:\Windows\System32\config\system

Contains system startup settings and driver configurations.

C:\Windows\System32\config\software

Contains software installation and configuration data.

C:\Windows\System32\config\security

Stores security settings and permissions.

C:\Windows\System32\config\default

Contains default user profile settings.

C:\Windows\System32\config\RegBack

Backup registry files for system recovery.

%WINDIR%\win.ini

Contains system settings for Windows.

%WINDIR%\system32\config\txr\{guid}\*.log

Logs of file system changes.

C:\Windows\System32\winevt\Logs\Security.evtx

Security event log with information about logins and security events.

%APPDATA%\Microsoft\Windows\Recent

Contains shortcuts to recently opened files.

%SYSTEMDRIVE%\$Recycle.Bin

Stores deleted files that can be recovered.

C:\Users\<username>\AppData\Local\Temp

Temporary files that may contain sensitive data or tools.

C:\Windows\System32\drivers\etc\hosts

Maps IP addresses to hostnames, useful for detecting malicious redirections.

%WINDIR%\System32\drivers\etc\networks

Contains system network interface configurations.

C:\Windows\System32\config\hivelist

Backup of the registry hives, useful for recovery or data extraction.

C:\Windows\System32\config\software.log

Tracks changes to software configurations.

C:\inetpub\wwwroot\web.config

Configures IIS web apps, may contain sensitive data like connection strings or settings.