c:\windows\system32\config\SOFTWARE
with Registry Explorer from Eric Zimmerman
https://ericzimmerman.github.io/#!index.md
to view registry contents
Showing posts with label Registry. Show all posts
Showing posts with label Registry. Show all posts
Wednesday, May 1, 2019
Registry Explorer basic usage
Open up a registry hive such as
c:\windows\system32\config\SOFTWARE
with Registry Explorer from Eric Zimmerman
https://ericzimmerman.github.io/#!index.md
to view registry contents
c:\windows\system32\config\SOFTWARE
with Registry Explorer from Eric Zimmerman
https://ericzimmerman.github.io/#!index.md
to view registry contents
Tuesday, October 27, 2015
Registry Explorer\ComDlg3 Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
It appears each time a user opens a file or saves a file using the standard windows dialog box then it's recorded in this registry
For example I opened this registry
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy\0
And was able to read the following values
notepad++.exe Windows\temp
Which would seem to me to indicate that the user opened the c:\windows\temp folder with notepad++.exe
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3
It appears each time a user opens a file or saves a file using the standard windows dialog box then it's recorded in this registry
For example I opened this registry
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy\0
And was able to read the following values
notepad++.exe Windows\temp
Which would seem to me to indicate that the user opened the c:\windows\temp folder with notepad++.exe
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Explorer\RecentDocuments Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocuments
It appears each time a file or folder is accessed in a Windows operating system, it records it in the RecentDocuments registry (which makes sense based on the name). For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3
And was able to read the following values
PracticeExam.docx, PracticeExam.docx.lnk
Which would seem to me to indicate that a word document was recently accessed.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocuments
It appears each time a file or folder is accessed in a Windows operating system, it records it in the RecentDocuments registry (which makes sense based on the name). For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3
And was able to read the following values
PracticeExam.docx, PracticeExam.docx.lnk
Which would seem to me to indicate that a word document was recently accessed.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Shell\BagMRU Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\Shell\BagMRU
It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14
And was able to read the following values
login_scripts
Which would seem to me to indicate that a folder named login_scripts was accessed.
NirSoft has a nice utility called ShellBagsView that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\Shell\BagMRU
It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14
And was able to read the following values
login_scripts
Which would seem to me to indicate that a folder named login_scripts was accessed.
NirSoft has a nice utility called ShellBagsView that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Registry Explorer\UserAssist Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)