Thursday, July 10, 2008

ShutdownCount

I was tooling around the Internet last night and ran across the "Forensics from the sausage factory" blog...and to be honest, my first thought was, "Oh, snap!"...it sounded like another one of those blogs that starts out being technical and interesting and then pretty soon the author starts posting personal or political stuff...

Anyway, I did find some pretty interesting posts, like this one. Like a fish, I'm easily distracted by shiny objects...in this case, anything that has to do with forensic analysis and the Registry. This post mentioned the following value:

HKLM\System\CurrentControlSet\Control\Watchdog\Display\ShutdownCount

Interesting. According to the post, this maintains a count of how many times the system was shut down. Most of the information regarding this value that I've been able to find via Google has to do with CastleCops and spyware scans...not sure why. I did find some info at MS on this, but it has to do with a Watchdog timer for video display drivers.

Any thoughts?

Any other keys/values of interest? If so, it's usually helpful to state why the key/value is of interest to forensic examiners (or incident responders).

Yes, I created a plugin for this value. ;-)

12 comments:

Brian said...

Looks like an XP only value. I could not find it in Vista.

Jason Koppe said...

(re: brian) In Vista, I couldn't seem to find a key or value that had Shutdown in its name that seems analogous to ShutdownCount.

To please my curiosity, I executed systeminfo capturing Registry operations with Process Monitor (filtered view on RegQueryValue). A decent amount of queries are made that result in some information that might be relevant to FA/IR....

Keydet89 said...

Jason...

Such as...??

JL said...
This comment has been removed by the author.
JL said...

Seeing this value on spyware sites is probably just from people posting their HijackThis logs after an infection. You can see a tutorial on the output here.

Anonymous said...

".it sounded like another one of those blogs that starts out being technical and interesting and then pretty soon the author starts posting personal or political stuff..."

If someone wants to post personal or political "stuff" on their blog, they are well within their right to do so. What's wrong with that? Should we all subscribe to the HC censorship mantra? ;P

Keydet89 said...

Where'd you get "censorship"? Simply not being interested in something isn't "censorship".

Easy to take potshots when you're anonymous...

Sippy said...

i was the anonymous post; i was on a network where i didnt feel comfortable logging in, sorry :)

to clarify... suggesting one should talk about one topic, but not talk about another topic implies censoring. Taking a potshot at bloggers that do this would at first glance appear to be suggesting they cease this activity and thus be censored.

sippy

Jason Koppe said...

@Harlan,

Page File Location:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles

I also posted some more thoughts on my blog:
http://nssadoc.blogspot.com/2008/07/registry-analysis-1.html

Anonymous said...

Kind of off topic, but I found a Perl program you might be interested in. It can create a timeline from various sources, including the registry.

http://www.sans.org/reading_room/whitepapers/forensics/32767.php

Troy said...

I liked his topic on Windows FE. I think Windows FE is the greatest thing ever, ever. Except maybe your book, whose registry chapter alone is worth the price.

herehereo said...

wow gold
buy wow gold
cheap wow gold
world of warcraft gold
runescape
runescape money
buy runescape money
wow gold
cheap wow gold
buy wow gold
world of warcraft gold
guild wars
guild wars gold
buy guild wars gold
maple story
maple story mesos
maplestory mesos
age of conan
age of conan gold
buy age of conan gold
aoc gold
buy aoc gold
age of conan
age of conan gold
buy age of conan gold
aoc gold
buy aoc gold
age of conan
age of conan gold
buy age of conan gold
aoc gold
buy aoc gold