Interfaces Registry Key

The Interfaces registry key will provide information regarding the systems attached network interface adatpers, such as IP address and MAC address.

Analysis Value

🖥️pageSystem Enumeration

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	✅
Windows XP	✅

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

✅

Windows XP

✅

Artifact Location(s)

File: %SystemRoot%\System32\config\SYSTEM
Key: SYSTEM\{CURRENT_CONTROL_SET}\Services\Tcpip\Parameters\Interfaces\{INTERFACE_GUID}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{INTERFACE_GUID}

For more information on determining the correct CurrentControlSet, visit Select Registry Key

For more information on {INTERFACE_GUID}, visit NetworkCards Registry Key

Artifact Parsers

RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Each interface will have its own dedicated registry key, and may contain the following values of interest:

value	type	information
DhcpDomain	REG_SZ	DHCP option 15 - the domain name of the endpoints FQDN
DhcpIPAddress	REG_SZ	The DHCP - provided IP address of the endpoint
DhcpServer	REG_SZ	The DHCP server that provided the endpoint its network configuration
EnableDHCP	REG_DWORD	0x0 if DHCP is disabled and 0x1 if DHCP is enabled
LeaseObtainedTime	REG_DWORD	FILETIME timestamp of when the endpoint received a DHCP lease
LeaseTerminatesTime	REG_DWORD	FILETIME timestamp of when the endpoint's DHCP lease expires

value

type

information

DhcpDomain

REG_SZ

DHCP option 15 - the domain name of the endpoints FQDN

DhcpIPAddress

REG_SZ

The DHCP - provided IP address of the endpoint

DhcpServer

REG_SZ

The DHCP server that provided the endpoint its network configuration

EnableDHCP

REG_DWORD

0x0 if DHCP is disabled and 0x1 if DHCP is enabled

LeaseObtainedTime

REG_DWORD

FILETIME timestamp of when the endpoint received a DHCP lease

LeaseTerminatesTime

REG_DWORD

FILETIME timestamp of when the endpoint's DHCP lease expires

Example

PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a7d8885d-10c1-43d4-9e1e-0a7b2678f020}" -Name *

EnableDHCP                 : 1
Domain                     :
NameServer                 :
DhcpServer                 : 10.100.0.1
Lease                      : 172800
LeaseObtainedTime          : 1687622031
T1                         : 1687708431
T2                         : 1687773231
LeaseTerminatesTime        : 1687794831
AddressType                : 0
IsServerNapAware           : 0
DhcpConnForceBroadcastFlag : 0
IPAddress                  : {}
SubnetMask                 : {}
DefaultGateway             : {}
DefaultGatewayMetric       : {}
RegistrationEnabled        : 1
RegisterAdapterName        : 0
DhcpInterfaceOptions       : {252, 0, 0, 0...}
DhcpDefaultGateway         : {10.100.0.1}
DhcpNameServer             : 10.100.0.10 10.100.0.10
DhcpSubnetMaskOpt          : {255.255.0.0}
DhcpIPAddress              : 10.100.65.234
DhcpSubnetMask             : 255.255.0.0
DhcpGatewayHardware        : {10, 100, 0, 1...}
DhcpGatewayHardwareCount   : 1

Correlating with the NetworkCards registry key:

PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\" -Name *

ServiceName  : {A7D8885D-10C1-43D4-9E1E-0A7B2678F020}
Description  : Intel(R) Wi-Fi 6 AX200 160MHz
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\5

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated 6 months ago