The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions The box is connected to several mapped drives. Not shure I understand this: are these IPs of machines that I'm connected to or machines that are connected to my box ?
- If the idea is to create a tool that uses 'LastWriteTime' on these values, that should be a nice and useful tool.
Be sure to read the description before you check for the key. If the description isn't clear, or isn't detailed enough, please be sure to let me know. You may not have the "Doc Find Spec" key.
With regards to ComputerDescriptions, my work system (XP) has several system names listed as values, but no data associated with them.
I found your page doing a google search for information regarding ComputerDescriptions. I recently completed a vanilla XP install (including all windows updates / SP2) and was surprised to see about a dozen entries in the ComputerDescriptions branch. These entries were the novell user account names of one particular lab (academic environment). Now that I think about it, the novell user account names and their respective computer names are the same. This vanilla PC is also plugged into the same subnet that the lab PC's are connected to. As the vanilla PC does not have the novell client installed I was wondering how these entries found their way into the registry. Perhaps its the MS client picking up on the traffic generated by the lab PC's and entering in the names as it sees them. I should mention that the vanilla PC's workgroup name and the lab PC's workgroup are NOT the same.
Thanks for your comment, but I really think that you answered your own question...
You said, "...I was wondering how these entries found their way into the registry".
But before that, you said, "Now that I think about it, the novell user account names and their respective computer names are the same."
Even though the workgroup names are different, they don't have different domain names...correct? What you may be seeing is the XP system "picking up" the names from the network.
6 comments:
Hello,
I have checked most values on my home desktop box ( win2k ) :
- don't have the following keys :
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
The box is connected to several mapped drives. Not shure I understand this:
are these IPs of machines that I'm connected to or machines that are connected
to my box ?
- If the idea is to create a tool that uses 'LastWriteTime' on these values, that
should be a nice and useful tool.
Have a nice day.
Spencer,
Be sure to read the description before you check for the key. If the description isn't clear, or isn't detailed enough, please be sure to let me know. You may not have the "Doc Find Spec" key.
With regards to ComputerDescriptions, my work system (XP) has several system names listed as values, but no data associated with them.
Fantastic job on this sheet! I'm glad someone has put all this information in one source. I think this will be a very important tool for many people.
Thanks again!
I found your page doing a google search for information regarding ComputerDescriptions. I recently completed a vanilla XP install (including all windows updates / SP2) and was surprised to see about a dozen entries in the ComputerDescriptions branch. These entries were the novell user account names of one particular lab (academic environment). Now that I think about it, the novell user account names and their respective computer names are the same. This vanilla PC is also plugged into the same subnet that the lab PC's are connected to. As the vanilla PC does not have the novell client installed I was wondering how these entries found their way into the registry. Perhaps its the MS client picking up on the traffic generated by the lab PC's and entering in the names as it sees them. I should mention that the vanilla PC's workgroup name and the lab PC's workgroup are NOT the same.
Giles,
Thanks for your comment, but I really think that you answered your own question...
You said, "...I was wondering how these entries found their way into the registry".
But before that, you said, "Now that I think about it, the novell user account names and their respective computer names are the same."
Even though the workgroup names are different, they don't have different domain names...correct? What you may be seeing is the XP system "picking up" the names from the network.
The link no longer appears to lead to an excel spreadsheet.
Post a Comment