Windows Registry contains path to Tor Browser Bundle executable
A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on Windows 7 showed that the registry contains the path to the Tor Browser Bundle executable.
HKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user's settings are stored in files called NTUSER.DAT and UsrClass.dat. The path to the Tor Browser Bundle executable is listed in the following two files:
- C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat
- C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
I did not find traces of the Tor Browser Bundle in any of the NTUSER.DAT files.