If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
It appears each time a user opens a file or saves a file using the standard windows dialog box then it's recorded in this registry
For example I opened this registry
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy\0
And was able to read the following values
notepad++.exe Windows\temp
Which would seem to me to indicate that the user opened the c:\windows\temp folder with notepad++.exe
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Showing posts with label Forensics. Show all posts
Showing posts with label Forensics. Show all posts
Tuesday, October 27, 2015
Registry Terminal Server Client\Servers Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Terminal Server Client\Servers
It appears each time a user used Remote Desktop to connect to another computer a registry entry is created in Terminal Server Client folder. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Terminal Server Client\Servers\SERVERXYZ\UsernameHint
And was able to read the following values
DOMAIN1\USER1
Which would seem to me to indicate that USER1 attempted to connect to SERVERXYZ thru domain DOMAIN1
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Terminal Server Client\Servers
It appears each time a user used Remote Desktop to connect to another computer a registry entry is created in Terminal Server Client folder. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Terminal Server Client\Servers\SERVERXYZ\UsernameHint
And was able to read the following values
DOMAIN1\USER1
Which would seem to me to indicate that USER1 attempted to connect to SERVERXYZ thru domain DOMAIN1
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Explorer\RecentDocuments Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocuments
It appears each time a file or folder is accessed in a Windows operating system, it records it in the RecentDocuments registry (which makes sense based on the name). For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3
And was able to read the following values
PracticeExam.docx, PracticeExam.docx.lnk
Which would seem to me to indicate that a word document was recently accessed.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocuments
It appears each time a file or folder is accessed in a Windows operating system, it records it in the RecentDocuments registry (which makes sense based on the name). For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3
And was able to read the following values
PracticeExam.docx, PracticeExam.docx.lnk
Which would seem to me to indicate that a word document was recently accessed.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Shell\BagMRU Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\Shell\BagMRU
It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14
And was able to read the following values
login_scripts
Which would seem to me to indicate that a folder named login_scripts was accessed.
NirSoft has a nice utility called ShellBagsView that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\Shell\BagMRU
It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14
And was able to read the following values
login_scripts
Which would seem to me to indicate that a folder named login_scripts was accessed.
NirSoft has a nice utility called ShellBagsView that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Explorer\UserAssist Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)