Workstation File/Folder Locations

1. System Configuration and Registry

   • C:\Windows\System32\config\: Contains the Registry hives.

   • C:\Windows\regedit.exe: Registry Editor, for accessing the Windows Registry.

2. User Data and Profiles

   • C:\Users\: User profile directories containing personal files, settings, and application data.

   • C:\Users\[Username]\AppData: Application data, roaming profiles, and user-specific settings.

3. Logs and Event Files

   • C:\Windows\System32\winevt\Logs: Event logs for system, security, and application events.

   • C:\Windows\System32\config: Also contains some system logs.

4. Program Files and Applications

   • C:\Program Files and C:\Program Files (x86): Installed applications.

   • C:\Windows: Core operating system files.

5. Temporary Files

   • C:\Windows\Temp: System temporary files.

   • C:\Users\[Username]\AppData\Local\Temp: User-specific temporary files.

6. Startup Items

   • C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup: Startup items for individual users.

   • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp: Startup items for all users.

7. Task Scheduler and Automated Tasks

   • C:\Windows\System32\Tasks: Task Scheduler tasks.

   • C:\Windows\Tasks: Automated tasks created by older applications.

8. Windows Registry Key Locations for Autostart Items

   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run: Programs that run on system startup.

   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: User-specific programs that run on startup.

9. Temporary Internet Files and Browser Data

   • C:\Users\[Username]\AppData\Local\Microsoft\Windows\INetCache: Internet Explorer cache.

   • C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Cache: Google Chrome cache (similar paths for other browsers).

10. System Restore Points and Shadow Copies

    • C:\System Volume Information: System Restore points and Volume Shadow Copy service files.

11. Prefetch Files (Application Launch Information)

    • C:\Windows\Prefetch: Files that help in speeding up the application launch.

12. Recycle Bin

    • C:\$Recycle.Bin: Files that have been deleted but not permanently removed.

13. Windows Event Tracing Logs

    • C:\Windows\System32\winevt\Logs: Event Tracing for Windows (ETW) logs, which record system operation and performance data.

14. Security Software Logs

    • Varies by vendor: Security solutions (antivirus, EDR, firewalls) often have their own logging directories.

15. File History Backup

    • C:\Users\[Username]\AppData\Local\Microsoft\Windows\FileHistory: Configuration and storage for the Windows File History feature.

16. Crash Dumps

    • C:\Windows\Minidump: Contains mini-dump files generated during a system crash (BSOD).

    • C:\Windows\MEMORY.DMP: Full memory dump file.

17. Installed Programs and Updates

    • C:\Windows\Installer: Storage location for installation files and patches.

    • C:\Windows\SoftwareDistribution\Download: Windows Update files.

18. Networking Information

    • C:\Windows\System32\drivers\etc\hosts: Hosts file for manual IP address mapping.

    • C:\Windows\System32\drivers\etc\networks: Network configuration files.

19. Command History

    • For PowerShell: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Common Directories w/ Servers

• C:\Windows: Core operating system files.

• C:\Windows\System32: Essential system files and DLLs.

• C:\Windows\Prefetch: Information about application launch activities and timings.

• C:\ProgramData: Application and system-wide data.

• C:\Users: User profiles and personal files.