# Interfaces Registry Key

The `Interfaces` registry key will provide information regarding the systems attached network interface adatpers, such as IP address and MAC address.

## Analysis Value

{% content-ref url="/pages/A9WSUHDPatjWctCckWyA" %}
[System Enumeration](/windows-forensics/artifacts-by-activity/system-enumeration.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ✅       |
| Windows XP    | ✅       |               |         |

## Artifact Location(s)

{% tabs %}
{% tab title="🔌 Offline System" %}

* File: `%SystemRoot%\System32\config\SYSTEM`
* Key: `SYSTEM\{CURRENT_CONTROL_SET}\Services\Tcpip\Parameters\Interfaces\{INTERFACE_GUID}`
  {% endtab %}

{% tab title="🔋 Live System" %}

* `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{INTERFACE_GUID}`
  {% endtab %}
  {% endtabs %}

{% hint style="info" %}
For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](/windows-forensics/artifacts-by-type/registry-artifacts/select.md)
{% endhint %}

{% hint style="info" %}
For more information on `{INTERFACE_GUID}`, visit [NetworkCards Registry Key](/windows-forensics/artifacts-by-type/registry-artifacts/network-cards.md)
{% endhint %}

## Artifact Parsers

* RegistryExplorer (Eric Zimmerman)

## Artifact Interpretation

Each interface will have its own dedicated registry key, and may contain the following values of interest:

| value               | type       | information                                                          |
| ------------------- | ---------- | -------------------------------------------------------------------- |
| DhcpDomain          | REG\_SZ    | DHCP option 15 - the domain name of the endpoints FQDN               |
| DhcpIPAddress       | REG\_SZ    | The DHCP - provided IP address of the endpoint                       |
| DhcpServer          | REG\_SZ    | The DHCP server that provided the endpoint its network configuration |
| EnableDHCP          | REG\_DWORD | 0x0 if DHCP is disabled and 0x1 if DHCP is enabled                   |
| LeaseObtainedTime   | REG\_DWORD | FILETIME timestamp of when the endpoint received a DHCP lease        |
| LeaseTerminatesTime | REG\_DWORD | FILETIME timestamp of when the endpoint's DHCP lease expires         |

## Example

```
PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a7d8885d-10c1-43d4-9e1e-0a7b2678f020}" -Name *

EnableDHCP                 : 1
Domain                     :
NameServer                 :
DhcpServer                 : 10.100.0.1
Lease                      : 172800
LeaseObtainedTime          : 1687622031
T1                         : 1687708431
T2                         : 1687773231
LeaseTerminatesTime        : 1687794831
AddressType                : 0
IsServerNapAware           : 0
DhcpConnForceBroadcastFlag : 0
IPAddress                  : {}
SubnetMask                 : {}
DefaultGateway             : {}
DefaultGatewayMetric       : {}
RegistrationEnabled        : 1
RegisterAdapterName        : 0
DhcpInterfaceOptions       : {252, 0, 0, 0...}
DhcpDefaultGateway         : {10.100.0.1}
DhcpNameServer             : 10.100.0.10 10.100.0.10
DhcpSubnetMaskOpt          : {255.255.0.0}
DhcpIPAddress              : 10.100.65.234
DhcpSubnetMask             : 255.255.0.0
DhcpGatewayHardware        : {10, 100, 0, 1...}
DhcpGatewayHardwareCount   : 1
```

Correlating with the [NetworkCards](https://github.com/Psmths/windows-forensics-handbook/blob/main/enumeration/network-cards.md) registry key:

```
PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\" -Name *

ServiceName  : {A7D8885D-10C1-43D4-9E1E-0A7B2678F020}
Description  : Intel(R) Wi-Fi 6 AX200 160MHz
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\5
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.