New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Eccouncil ECSS Exam - Topic 4 Question 113 Discussion

Actual exam question for Eccouncil's ECSS exam
Question #: 113
Topic #: 4
[All ECSS Questions]

Bob, a forensic investigator, is investigating a live Windows system found at a crime scene. In this process, Bob extracted subkeys containing information such as SAM. Security, and software using an automated tool called FTK Imager.

Which of the following Windows Registry hives' subkeys provide the above information to Bob?

Show Suggested Answer Hide Answer
Suggested Answer: D

Certainly! Let's break down the question and identify which Windows Registry hives' subkeys contain the requested information.

Windows Registry Hives:

The Windows Registry is a hierarchical database that holds configuration settings and options for both low-level operating system components and running programs.

It includes settings for the kernel, device drivers, services, user interface, and third-party applications.

The registry allows access to counters for system performance profiling.

Registry Hives:

The registry is organized into different hives, each containing keys and values.

Some important hives include:

HKEY_LOCAL_MACHINE (HKLM): Contains system-wide settings.

HKEY_CURRENT_USER (HKCU): Contains settings specific to the currently logged-in user.

HKEY_USERS (HKU): Contains profiles for all users on the system.

HKEY_CLASSES_ROOT (HKCR): Contains file association information.

HKEY_CURRENT_CONFIG (HKCC): Contains information about the current hardware configuration (only in certain Windows versions).

Subkeys Relevant to Bob's Investigation:

Bob is interested in information related toSAM,Security, andsoftware.

Let's see which hives contain these subkeys:

SAM(Security Account Manager):

The SAM hive stores user account information, including usernames, passwords, account types, enabled status, group memberships, and last logon time.

It is crucial for authentication and security.

Located in:HKEY_LOCAL_MACHINESAM

Security:

The Security hive contains security-related information, including access control lists (ACLs), user privileges, and security tokens.

It plays a vital role in enforcing security policies.

Located in:HKEY_LOCAL_MACHINESecurity

Software:

The Software subkey within the HKLM hive contains information related to installed software, configurations, and settings.

It is essential for forensic investigations.

Located in:HKEY_LOCAL_MACHINESoftware

Answer :

The subkeys that provide the requested information to Bob are:

SAM(located inHKEY_LOCAL_MACHINESAM)

Security(located inHKEY_LOCAL_MACHINESecurity)


by Martin at Nov 26, 2025, 12:52 AM

Limited Time Offer

25%

Off

Get Premium ECSS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Sylvia
8 hours ago
Agreed, HKEY LOCAL MACHINE is the go-to here!
upvoted 0 times
...
Carey
6 days ago
D) HKEY LOCAL MACHINE? More like HKEY JACKPOT MACHINE, am I right? Nailed it, Bob!
upvoted 0 times
...
Bulah
11 days ago
Ah, the HKEY LOCAL MACHINE hive, the gift that keeps on giving for forensic investigators. Nicely done, Bob!
upvoted 0 times
...
Maxima
16 days ago
I'm pretty sure the answer is D. HKEY LOCAL MACHINE is where all the juicy stuff is hiding.
upvoted 0 times
...
Leonora
21 days ago
The HKEY LOCAL MACHINE hive is like a treasure trove for forensic investigators. It's the holy grail of registry data!
upvoted 0 times
...
Geoffrey
26 days ago
D) HKEY LOCAL MACHINE is the correct answer. This hive contains information about the local machine, including the SAM, Security, and Software subkeys.
upvoted 0 times
...
Hannah
1 month ago
I have a vague memory of HKEY CURRENT CONFIG being relevant in some context, but it doesn't seem to fit here. I lean towards HKEY LOCAL MACHINE too.
upvoted 0 times
...
Glory
1 month ago
I feel like HKEY LOCAL MACHINE is the one that holds the system-related data, but I could confuse it with HKEY CLASSES ROOT.
upvoted 0 times
...
Matilda
1 month ago
I remember practicing a question about registry hives, and I think HKEY CURRENT USER was mentioned, but it doesn't seem right for this case.
upvoted 0 times
...
Joanne
2 months ago
I think the answer might be D) HKEY LOCAL MACHINE since it contains the SAM and Security hives, but I'm not entirely sure.
upvoted 0 times
...
Maricela
2 months ago
I'm a little confused by the wording of the question. Is it asking which hive contains those specific subkeys, or which hive the investigator extracted the information from? I'll need to re-read it carefully.
upvoted 0 times
...
Leatha
2 months ago
I'm pretty confident on this one. The HKEY_LOCAL_MACHINE hive is where you'll find the system-level Registry information that a forensic investigator would need, including the SAM, Security, and Software subkeys.
upvoted 0 times
...
Polly
2 months ago
Okay, I think I've got this. The SAM, Security, and Software subkeys are likely found in the HKEY_LOCAL_MACHINE hive, since that contains system-level configuration data.
upvoted 0 times
...
Yuki
2 months ago
Definitely HKEY LOCAL MACHINE for that info.
upvoted 0 times
...
Talia
3 months ago
I thought HKEY CURRENT USER had more relevant data?
upvoted 0 times
...
Ben
3 months ago
HKEY-CLASSES. ROOT seems off for this case.
upvoted 0 times
...
Antonio
3 months ago
Hmm, I'm a bit unsure about this one. I know the Registry is important for forensics, but I'm not totally clear on the specific hives and what data they hold.
upvoted 0 times
...
Benton
3 months ago
This seems like a straightforward Windows Registry question. I'll need to remember the different hives and what kind of information they contain.
upvoted 0 times
Susana
2 months ago
I think it's HKEY LOCAL MACHINE.
upvoted 0 times
...
...

Save Cancel