I like "Registry stuff". I don't know what the fascination is, but for some reason, I love stuff that has to do with the Registry.
Anyway, I ran across something recently...I was looking at one of my own systems and ran across an interesting value in my AppInit_DLLs Registry value. Just the fact that there was data within this value was interesting enough! But then I saw something even more interesting...another value named LoadAppInit_DLLs. I haven't found anything specific about this value at the MS site yet, but this appears to be a Vista-only Registry value, in that it is only recognized and utilized by the Vista operating system. This is covered briefly in Symantec's Analysis of the Windows Vista Security Model paper.
This value appears to be used by PGP, as well as some tools from Google (both of these are based on Google searches for occurances of the value name).
On the topic of the Registry, here's how to use PowerShell to get the name of the last user to log onto a system.
So, what are you looking in the Registry for...or looking for in the Registry?
Links:
Forensics Wiki: Windows Registry
The Windows Registry as a Forensic Resource
Alien Registry Viewer
32-bit Application access to the Registry on 64-bit versions of Windows
I'd be happy to find a registry key telling me if it's Windows XP Pro or Home edition.
ReplyDeleteWith Pro having remote desktop built-in it's an opening for a remote user to mess with the machine. Hard to use that as a defense if it's Home edition.
PS. I like the new book!
I'd be happy to find a registry key telling me if it's Windows XP Pro or Home edition.
ReplyDeleteGenerally, when I have a question like this, I research the issue, and then once I have some information (or none), I ask someone.
PS. I like the new book!
Thanks!