Brendan Dolan-Gavitt describes in a detailed blog post , how to find and how to interpret information about registry hives in memory images.
The registry of Microsoft Windows consists of several so-called hives. The Windows kernel accesses these hives through its Configuration Manager (CM). The article explains two of the fundamental data structures that are involved here, nt!_CMHIVE and nt!_HHIVE. They are stored in the kernel's paged pool. Brendan Dolan-Gavitt develops a signature to locate these structures in memory images.
