I need help making ...
 
Notifications
Clear all

I need help making sense of ntuser.dat file internet history

35 Posts
7 Users
0 Likes
6,618 Views
(@kurt2121)
Posts: 43
Eminent Member
Topic starter
 

Hey guys, first post here!

Could really use some help trying to figure out what exactly ntuser.dat files keep with respect to Internet History. (specifically on Windows XP, but I'm assuming later versions work close to the same)

So, I originally thought these files only recorded changes to the registry. I was browsing through them and was coming across quite a bit of interent history, which I wasn't really expecting. I was seeing full URLS with no apparent explanation as to what browser it came from, I saw over a hundred random search terms (together or scattered about) again with really no explanation as to where they originated. Perhaps I just can't understand it, so that is why I came here!

Also, it appears these files seem to "mesh together", so to speak. I've seen searches (that I made) show up in the ntuser file of a different user account, which to me seems pretty weird. Anyone else experience this?

So far, one of the search terms I found in the Google Toolbar google%2Eweb.w file. A couple more I matched with Internet Explorer via Index.dat viewing software. The rest I can't figure out where they came from.

These are what is installed on the computer. Does the history of all these applications get stored in the ntuser.dat file?

Firefox V2
Chrome (version not sure)
Google Toolbar
Internet Explorer v8

Any and all discussion or opinions are welcome!

 
Posted : 22/05/2016 12:14 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe this helps you
https://www.tzworks.net/prototype_page.php?proto_id=19
comparing the NTUSER.DAT files with results of a "browser history" tool *like*
http//www.nirsoft.net/utils/browsing_history_view.html

might give you better insight.

jaclaz

 
Posted : 22/05/2016 5:02 pm
(@kurt2121)
Posts: 43
Eminent Member
Topic starter
 

Maybe this helps you
https://www.tzworks.net/prototype_page.php?proto_id=19
comparing the NTUSER.DAT files with results of a "browser history" tool *like*
http//www.nirsoft.net/utils/browsing_history_view.html

might give you better insight.

jaclaz

I had tried using that browsing history viewer beforehand, and was only able to make a connection with a couple searches that were done in IE. That cafae software could help, will have to check it out.

This is the official file description from Microsoft-

The NTuser.dat file is the registry portion of the user profile. When a user logs off of the computer, the system unloads the user-specific section of the registry (that is, HKEY_CURRENT_USER) into NTuser.dat and updates it. For more information about the registry, see Registry structure.

Please correct me if I'm wrong, but Chrome and Firefox don't store history of any kind in the registry, right? So, does that mean history from Chrome and Firefox wouldn't end up in the ntuser file?

 
Posted : 23/05/2016 7:08 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Please correct me if I'm wrong, but Chrome and Firefox don't store history of any kind in the registry, right? So, does that mean history from Chrome and Firefox wouldn't end up in the ntuser file?

Yep, only Internet Explorer (most probably on the new stupid 10 also Edge) uses the Registry but most probably what you found in the Registry are not "history", but rather "Typed URLs" and or "Searches", and/or "links" of some kind, as even IE uses a history file.

As explained here
http//www.nirsoft.net/utils/iehv.html

The "TypedURLs" (which you can check also with the TZworks tool) should be only last 25 or so "address bar entries".

You should post the Registry hive path(s) where you found those "history" entries, this might help understanding where they came from.

jaclaz

 
Posted : 23/05/2016 3:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Could really use some help trying to figure out what exactly ntuser.dat files keep with respect to Internet History. (specifically on Windows XP, but I'm assuming later versions work close to the same)

If you mean sites that the user navigated to, not a great deal.

So, I originally thought these files only recorded changes to the registry. I was browsing through them and was coming across quite a bit of interent history, which I wasn't really expecting. I was seeing full URLS with no apparent explanation as to what browser it came from, I saw over a hundred random search terms (together or scattered about) again with really no explanation as to where they originated. Perhaps I just can't understand it, so that is why I came here!

I'd like to ask for some context…where did you find this "interent history"?

I'm sure that if you shared some information regarding where you saw these "full URLs", there would be some explanation as to how it ended up there.

Also, it appears these files seem to "mesh together", so to speak. I've seen searches (that I made) show up in the ntuser file of a different user account, which to me seems pretty weird. Anyone else experience this?

Unknown…there really isn't any explanation of what you were seeing.

For example, you said that you "made" the searches…how did you execute the search? Via the Start Menu->Search option, via Google, or Bing? You say that your search showed up in the "ntuser file of a different user account"…where did it show up? What was the time frame?

So far, one of the search terms I found in the Google Toolbar google%2Eweb.w file. A couple more I matched with Internet Explorer via Index.dat viewing software. The rest I can't figure out where they came from.

These are what is installed on the computer. Does the history of all these applications get stored in the ntuser.dat file?

Any and all discussion or opinions are welcome!

Honestly, there's really not a lot to go on, simply because all of this is too vague, without any specificity or context. Sorry, I'd like to help, and I am sincerely interested, but I'm not entirely clear as to what you were doing, or what you're asking.

 
Posted : 23/05/2016 9:31 pm
(@kurt2121)
Posts: 43
Eminent Member
Topic starter
 

Please correct me if I'm wrong, but Chrome and Firefox don't store history of any kind in the registry, right? So, does that mean history from Chrome and Firefox wouldn't end up in the ntuser file?

Yep, only Internet Explorer (most probably on the new stupid 10 also Edge) uses the Registry but most probably what you found in the Registry are not "history", but rather "Typed URLs" and or "Searches", and/or "links" of some kind, as even IE uses a history file.

As explained here
http//www.nirsoft.net/utils/iehv.html

The "TypedURLs" (which you can check also with the TZworks tool) should be only last 25 or so "address bar entries".

You should post the Registry hive path(s) where you found those "history" entries, this might help understanding where they came from.

jaclaz

Ok, so yeah, there are no "typed URLs", "searches" or 'links" in the registry for firefox or chrome, so it is safe to say it didn't come from them, I suppose.

"you should post the registry hive paths where you found the 'history' entries"

I havn't had much time to look into that program you linked me to, will that tell me the registry hive paths from everything recorded in the ntuser.dat file? I checked regedit, looked at "typedURLS" but it had only two entries. But, like you said, it only stores the last 25 entries, and there were well over a hundred scattered around the file, so ntuser.dat obviously keeps records beyond how long Typed URLS does.

 
Posted : 24/05/2016 4:32 am
(@kurt2121)
Posts: 43
Eminent Member
Topic starter
 

Could really use some help trying to figure out what exactly ntuser.dat files keep with respect to Internet History. (specifically on Windows XP, but I'm assuming later versions work close to the same)

If you mean sites that the user navigated to, not a great deal.

So, I originally thought these files only recorded changes to the registry. I was browsing through them and was coming across quite a bit of interent history, which I wasn't really expecting. I was seeing full URLS with no apparent explanation as to what browser it came from, I saw over a hundred random search terms (together or scattered about) again with really no explanation as to where they originated. Perhaps I just can't understand it, so that is why I came here!

I'd like to ask for some context…where did you find this "interent history"?

I'm sure that if you shared some information regarding where you saw these "full URLs", there would be some explanation as to how it ended up there.

Also, it appears these files seem to "mesh together", so to speak. I've seen searches (that I made) show up in the ntuser file of a different user account, which to me seems pretty weird. Anyone else experience this?

Unknown…there really isn't any explanation of what you were seeing.

For example, you said that you "made" the searches…how did you execute the search? Via the Start Menu->Search option, via Google, or Bing? You say that your search showed up in the "ntuser file of a different user account"…where did it show up? What was the time frame?

So far, one of the search terms I found in the Google Toolbar google%2Eweb.w file. A couple more I matched with Internet Explorer via Index.dat viewing software. The rest I can't figure out where they came from.

These are what is installed on the computer. Does the history of all these applications get stored in the ntuser.dat file?

Any and all discussion or opinions are welcome!

Honestly, there's really not a lot to go on, simply because all of this is too vague, without any specificity or context. Sorry, I'd like to help, and I am sincerely interested, but I'm not entirely clear as to what you were doing, or what you're asking.

Yeah, sorry it is vague. As for the context, all I can really say is I found it in the ntuser.dat file.. perhaps it would help if I posted some text from before/after the urls and random search terms I found? I can't really understand it.

The searches I made, I made on the main search bar of Internet Explorer. They were the only ones that showed up in ntuser.dat. I also tried searching from the google site, and the search bar that toggles search engines, but they didn't appear. And weirdly enough, The searches I made in the admin account were in the Guest ntuser.dat and vice versa, just to add to the fun!

I could not test Chrome or Firefox on the XP since both browsers are dysfunctional now (Chrome wont open and the firefox.exe is gone), but for the hell of it, I tried to see if I could get any firefox searches to show up in ntuser.dat on my computer running Vista, but nothing showed up.

btw guys appreciating the replies and help!

 
Posted : 24/05/2016 5:00 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Yeah, sorry it is vague. As for the context, all I can really say is I found it in the ntuser.dat file..

Well, I wish there was more that could be done…

 
Posted : 24/05/2016 5:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

What I would do would be to dump the ntuser.dat to a .reg text file then use a "normal" text processor to do a search for (say) www., http//, and similar Internet related partial URLS.
This should easily provide you with the info about where (in which keys) these values are stored or if they are in some kind of "slack" in the Registry (i.e. not indexed areas or remnants).

jaclaz

 
Posted : 24/05/2016 8:55 pm
(@kurt2121)
Posts: 43
Eminent Member
Topic starter
 

What I would do would be to dump the ntuser.dat to a .reg text file then use a "normal" text processor to do a search for (say) www., http//, and similar Internet related partial URLS.
This should easily provide you with the info about where (in which keys) these values are stored or if they are in some kind of "slack" in the Registry (i.e. not indexed areas or remnants).

jaclaz

Interesting idea. I'm not really sure how to do that, could you perhaps give a brief step-by-step? I'm scared if I do it wrong, I'll corrupt the file.

 
Posted : 25/05/2016 12:27 am
Page 1 / 4
Share: