Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

Windows Important Files

Files that can yield passwords or other intel about the system, network or users.

File Description / Importance
%SYSTEMDRIVE%\pagefile.sys This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size.
These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
%SystemDrive%\inetpub\logs\LogFiles IIS 7.x web server log file location.
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat Internet Explorer web browser history file (
%USERPROFILE%\ntuser.dat User-level Windows registry settings (
%WINDIR%\System32\drivers\etc\hosts System hosts file for local translation of host names to IP addresses.
%WINDIR%\debug\NetSetup.log Shows issues when computers are joined to a domain.
%WINDIR%\iis[version].log where [version] = 6, 7, or 8 Internet Information Service (IIS web server) log files.
System registry hives.
%WINDIR%\system32\CCM\logs\*.log Windows SCCM (System Center Configuration Manager) log files (
Windows Event Logs.
Backup Windows registry files (
%WINDIR%\system32\logfiles\httperr\httperr1.log IIS 6.x web server error logs.
%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log where YYMMDD = year month day Web server log files.
unattend.txt, unattend.xml, sysprep.inf Used in the automated deployment of Windows images and can contain user accounts.