Thursday, March 03, 2005

The Registry as a log file

You're probably looking at the title of this entry and wondering..."what is this guy on??!! And where can I get some??!" Well, at least I hope you are...because that means that you're reading this blog entry...

So...what do I mean? Well, a lot of activity is recorded in the Registry...things like what you type into the "Run" box, documents you access, URLs you type into IE, etc. When this information is written to the appropriate Registry key, the LastWrite time associated with that key is updated accordingly. With some keys, it's relatively simple to narrow down which, with some level of certainty, what action occurred and resulted in the update to the key. With others, it's not so easy.

The LastWrite time is maintained in a FILETIME structure, and is processed in much the same way as file MAC times. This means that you can pull the data out and represent it as a system time, or translate it to a local time, taking the time zone and daylight savings settings into account.

Tying this information into the timeline you develop based on log entries, file MAC times, and other sources, you can sort of begin to see how the Registry can be considered to be a log file, of sorts. In some ways, it's as easy or as hard to read (or understand) as the Event Log, but it definitely should not be discounted as a source of valuable information.

More regarding the Registry to come...

No comments: