Was The Windows Registry A Good Idea?
In simple terms, the registry or Windows Registry contains information, settings, options and other values for programs and hardware installed on your Windows machine. You can take advantage of the Windows Registry to store configuration metadata of your applications so that you can retrieve them at a later point of time if need be. Malware will modify the registry to make sure it can launch itself after a reboot, to better hide, or to integrate with an existing legitimate process. So, it makes sense to monitor registry areas that are often manipulated by malware. Windows registry is an excellent source for potential evidential data.
The GUID subkey beginning with “5E6” corresponds to IE toolbar, while subkey starting with “750” pertains to Active Desktop (Carvey, 2005c). However, registry values under these subkeys are weakly encrypted using “ROT-13” algorithm which basically substitutes a character with another character 13 position away from it in the ASCII table (Carvey, 2005e). Even though each registry value is not associated with specific time and date the event occurred, it could imply suspect has accessed certain file or object.
Knowing the type of information that could possible exist in registry and location to it gives forensic examiner the edge in the forensic analysis process. Investigator will get a better picture of the whole case. This paper illustrates some of techniques to hides data in registry and registry keys of evidential value. Thus, there is a need to unveil and publish evidentiary registry keys to assist forensic investigation on Windows system. Each subkey maintains a list of system objects such as program, shortcut, and control panel applets that a user has accessed.
- Just as the computer file and folder system has a root (usually a hard drive) the Registry has root keys at the top of the hierarchy of keys and values.
- When the 32-bit registry was created, so was the additional capability of creating multiple named values per key, and the meanings of the names were somewhat distorted.
- The terms are a holdout from the 16-bit registry in Windows 3, in which keys could not contain arbitrary name/data pairs, but rather contained only one unnamed value (which had to be a string).
- In this sense, the https://wikidll.com/symantec-corporation/s32evnt1-dll entire registry was like an associative array where the keys (in both the registry sense and dictionary sense) formed a hierarchy, and the values were all strings.
- The terminology is somewhat misleading, as the values are similar to an associative array, where standard terminology would refer to the name part of the value as a "key".
Windows Registry
Note that some patches may not be fully installed until a reboot has occurred. Although this registry key setting helps address unscheduled reboots, it’s still important to reboot the system shortly after patch installation to ensure system stability and patch effectiveness.
You can find more information about Windows updates at this blog. Disabling UAC is not recommended because it weakens the security posture of the system. But if you accept the increased risk, disabling UAC will give your admin account full admin capabilities on the system and allow your to write files and directions anywhere on the system. This will also disable all other UAC-related registry key settings. If you are scanning your enterprise and want to ensure all systems are configured to use UAC (as recommended), look for a value of "1." More information about UAC can be found at Microsoft’s TechNet site.
Share With Friends