Registry Analysis

• Using regedit.exe– System Information– Autostart locations– USB Removable Storage Devices– Mounted Devices– Finding Users– User Activity– Restore Points

System Information

• Located in the Current Control Set

• If the systemm is not active must find the Control Set that was current

• Time zone

• Shares

• Audit policy

• Wireless SSIDs

Current Control Set• CurrentControlSet is a volatile portion of the Registry

• Which of the 2 or more Control Sets are Current

• The following indicate that #1 is current

Time Zone Information

• SYSTEM\ControlSet001\Control\TimeZoneInformation

Computer Name

HKLM\SYSTEM\ControlSet001\Control\ComputerName\ComputerName

Shutdown TimeHKLM\SYSTEM\CurrentControlSet\Control\WindowsHKLM\SYSTEM\ControlSet001\Control\Windows

Time is measured in the number of 100-nanosecond intervals since 1 January 1601.

Shares

• Windows 2K, XP, 2003, and Vista create a number of administrative shares– IPC$ - IPC share– ADMIN$ - shares that refer to the root of dirves

C$, D$, etc.

• User enabled shares show up in

HKLM\SYSTEM\CurrentControlSet\Servicecs\lanmanserver\Shares

Wireless SSIDs

• XP Laptops maintain a list of service set IDs

• The GUID is associated with the wireless interface

• Under the Static#000x lists all of the SSIDs connected

SSIDsA different Static#000x for each SSID ever connected to.

SSID Registry Entry

At offset 0x10 is a DWORD (4 bytes) that contains the length of the SSID, remember little endian.“0b 00 00 00” = 0x 00 00 00 0b = 1110

SSID Length SSID

Autostarts

• Applications that are launched without any interaction from the user

• Often at boot time

• Occasionally upon launch of a app.

Autostart Locations

• Auto-start extensibility points (ASEPs)

• Registry locations• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• And elsewhere

• All over the place

Autostart Locations• Start -> run -> msconfig

• Lists some of the acknowledge startups

Startup Locations

Other Startup Locations

• System boot

• User Login

• User Activity

• See Carvey’s Ch4 spreadsheet for more locations

System boot

• Startup services at boot time are contained in

• HKLM\SYSTEM\CurrentControlSet\Services

• The services are enumerated with parameters

• Should be sorted by LastWriteTime

• Only possible in FTK or ProDiscover

ControlSet\Services

Boot Time AppsStart value = 2, the app starts on boot time. Star value != 2 starts on user logon

Evil Start Time Services

• Generally LastWrite times should be about the same time the system was built.

• Later dates would suggest that an intruder of sysadmin was altering the boot time sequence

User Login

• Startup Keys are parsed in order when a user logs in:1. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

2. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

3. HKLM\Software\Microsoft\Windows\CurrentVersion\Run

4. HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run

5. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run

6. HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\RunOnce

• The run keys are ignored if started in Safe Mode

#3 On the Startup List

User Activity

• On user action certain registry keys are accessed

• Keys for other Classes of files control what happens when that file is opened

• Or when the file is double-clicked

Example

• Go to:HKLM\Software\Microsoft\CommandProcessor\AutoRun

Right click on AutoRun

Select Modify

Enter sol.exe in the Value data: field.

Start -> run -> cmd.exe

• This is the how one can modify application behavior

• Used by much malware to launch backdoors or an IRCbot

AutoRuns from Sysinternals

Hijacked App

USB Devices

• Tracking USB devices• When mounted on Windows they leave

• Footprints in the Registry

• Artifacts in the setupapi.log file

• The PnP Manager queries the device descriptor• Located in the thumb drive’s firmware

• Log updated

• Creates a Registry Key inHKLM\System\CurrentControlSet\Enum\USBSTOR

USBSTOR Key

Device Held IDCdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_6.61

Manufacturer Model Version

Device class IDUnique Instance IDSerial Number

System Created KeyDisk&Ven_JMTek&Prod_USBDrive&Rev_7.77

Manufacturer Model Version

Device class ID

Unique Instance IDNo Serial NumberMade up by system

Device Information

• HKLM\SYSTEM\MountedDevices

• List of recently Mounted Devices• Look down the list for \DosDevices\

• The REG_BINARY data field should start with5C 00 3F00 3F 00

• To find which device this is right click on the device

• Select Modify

USBSTOREParentIdPrefixUnique Instance ID

Serial Number

USB Devices Tracking

• By correlating ParentIdPrefix form Mounted devices and USBSTORE one can generate a timeline

• CurrentUser\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

• May give more information

Mounted Devices

Binary Data in \DosDevices\G:

ParentIdPrefix matches the Kingston Traveler in the USBSTORE key

Research Topic

• USB devices• Some USB Devices have a Device ID, others do not

• Some generate a ParentIdPrefix others do not

• Some Correlate to the MountedDevices ID others do not

• Sort it out

• Use references to the the Microsoft Knowledge Base