Friday, December 23, 2005

Registry Reference

I've been working away on a Registry reference, basically, an Excel spreadsheet of Registry keys. The idea is to list them with some sort of categorization, listing each by key name/path, value (if applicable), a brief description, and then any references that may apply.

In the case of what I'm working on, most of the references so far are MS KB articles that describe the keys and/or values.

The descriptions are meant to provide information regarding how these keys/values are useful during forensic investigations. Many of them can also be useful during live response investigations, as well.

Work is coming along smoothly...oddly enough there isn't a great deal of this sort of information out there. I've been pointed to several resources, and in most cases they lead back to either my original spreadsheet, or stuff from AccessData.

5 comments:

Anonymous said...

Maybe you've seen this book published by Microsoft Press:

Microsoft Windows Registry Guide, Second Edition
http://www.amazon.com/gp/product/0735622183/qid=1135969306/sr=8-1/ref=pd_bbs_1/002-7284121-6800031?n=507846&s=books&v=glance

Maybe your list could end up being an open source version of this?

H. Carvey said...

My list is turning out to be more oriented toward forensics and incident response, so far...

Anonymous said...

You might find this helpful too:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/w2rkbook/regentry.asp

By the way, love your book! How actively are the FRU and FSP being developed? On your updates page at http://www.windows-ir.com/updates.html you say that they were being rewritten. Is that done?

H. Carvey said...

Clint,

Thanks for the link...that one hasn't been all that helpful.

Thanks for the comments about the book, and I'm glad you enjoy it. The FRU/FSP haven't been actively worked on in a while, but as of yet, there haven't been any feature requests since this time last year. If you check out the /fsp.html page from the web site for the book, you'll see that you can get the tools as standalone EXE files, along with their source code.

If you have any requests, please let me know. I am working on a user manual.

Anonymous said...

Some of the anti-malware sites (e.g. symantec.com or mcafee.com) reference registry keys exploited by spyware and viruses. Some of these keys may be useful in incident analysis.