I was reading about RegdatXP being able to detect root kits. I was just wondering if anyone has used this software.

I read somewhere out there that rootkits are not a threat to Windows as much as Linux or Unix.

Since I just made this statement, there should be a flurry of replies! :D

I don't know anything about that. All the information about root kits that I have seen is about Windows. Don't plan to get one but am interested in this program because it is claimed that it is about the only thing that can spot one.

Here's an article. Maybe it is a worry.

Root kits are old hat in the Unix and Linux world, but are rarely found on hacked Windows hosts. "They're a scary thing," says Marc Maiffret, chief hacking officer at California-based security software-maker eEye. "In Unix that's been going on for ages, but the backdoors for Windows NT have always been trivial. I've always wondered why this isn't happening."

http://www.securityfocus.com/news/2879

Does anybody have a link for the makers of RegdatXP?

Thanks in Advance.

I think that this is the authors site. http://people.freenet.de/h.ulbrich/

Thanks for the link WilliamP.

It looks like a registry analysis or checksum type comparison to compare a backed up registry with the current one.
-{ Quote: "RegdatXP reads non active WinNT/2K/XP registry files like ntuser.dat and usrClass.dat and compares them to the current Registry." }-
But I don't see how it could help detect a rootkit. I thought they can conceal themselves from the registry completely. If it compares the current registry to a backup, couldn't the rootkit make the backup registry look just like the current one to hide itself? You could counter that by storing the backup registry off computer, but then wouldn't the registry change and be different from the backup during normal everyday use?

Maybe I am missing something. There wasn't a lot of info on the site. Do you have the article where it mentioned how it is used to detect rootkits?

Go to this site. I'm just trying to find out if anyone knows anything. http://scheinsicherheit.funpic.de/rootkits.htm

I bought RegdatXP a short while ago and have only scratched the surface as far as what it can do. It is basically an offline registry toolkit (browser, editor, etc). I use it in conjunction with ERUNT (http://home.t-online.de/home/lars.hederer/erunt/) registry backups, and compare the live registry to the last backup. Concerning rootkit detection, it will compare live registry keys to offline keys and look for hidden keys not normally visible in Regedit when the rootkit is loaded (see the settings dialogue below). The help file is somewhat vague about the methods used.

Concerning Windows rootkits in general, I've only played with Hacker Defender on a test machine and it does work.

Nick

Nick ,do you have to have Erunt to create a registry backup? I thought that RegdatXP made a backup.

Hi nick s,

So in order for RegdatXP to detect the hidden keys you have to have a clean registry backup? It cannot detect the hidden keys if you don't have a reg backup?

-{ Quote: "Nick ,do you have to have Erunt to create a registry backup? I thought that RegdatXP made a backup." }-
True, both do backups. I prefer ERUNT at the moment because it can restore the registry using a batch file from the Recovery Console.

Nick

-{ Quote: "Hi nick s,

So in order for RegdatXP to detect the hidden keys you have to have a clean registry backup? It cannot detect the hidden keys if you don't have a reg backup?" }-
A clean backup is not necessary. The copy only has to be "offline" (meaning not under the influence of the rootkit.)

Nick

Thanks Nick!

That is one cool program. 8)

RegdatXP works in what the developer calls "raw mode". Mentioned here: Are AV/AT Scanner useless now? (Hacker Defender v. 1.00) (http://www.wilderssecurity.com/showthread.php?t=18848).

Nick

Nick, what actually do you mean by offline?

-{ Quote: "Nick, what actually do you mean by offline?" }-
Offline means not loaded by Windows. Such as the copies in C:\System Volume Information, or in C:\Windows\repair, or in ERUNT backups.

Nick

Thank you Nick for the information. Needless to say I don't plan to get a Root Kit. But these programs would be nice to have if you were unlucky enough to get one.

-{ Quote: "Thank you Nick for the information. Needless to say I don't plan to get a Root Kit. But these programs would be nice to have if you were unlucky enough to get one." }-
After seeing what a rootkit can do, I did not hesitate in buying Process Guard when it was released.

Nick

I also have Process Guard. I feel that it is the most important security program that I have.

I have allready downloaded ERUNT and made a back up.