Windows Registry Analyzer

Discussion in 'other security issues & news' started by Kaupp, Nov 26, 2004.

Thread Status:
Not open for further replies.
  1. Kaupp
    Online

    Kaupp Guest

    Windows Registry Analyzer is tool for reading, viewing and forensic analyzing of Windows registry hive files (e.g. NTUSER.DAT etc.). It's compatible with all registry versions on Windows 32bit platforms.
    It has Multiple Document Interface, bookmarks, full-range search capability, powerfull data viewer with data inspector, REGEDIT4 export capability and set of Spy & Analyze Tools. For NT registry files here's Security Record Explorer available.
    It is based on MiTeC Windows Registry File Reader class.

    Data Viewer
    Data viewer displays value's data according to its type.

    REG_SZ, REG_EXPAND_SZ,REG_MULTI_SZ: CRC32, MD4, MD5 and SHA1 values are calculated.
    REG_DWORD, REG_DWORD_BIG_ENDIAN: The following interpretation modes are available: Hexadecimal, Decimal, Binary, UNIX 32 Timestamp, DOS 32 Timestamp.
    REG_BINARY: Data is viewed as hexadecimal dump and every cursor position is evalueated in data inspector in many interpretation modes. CRC32, MD4, MD5 and SHA1 is calculated for whole value data and for selection too. During data loading time the Quick Analysis is performed on data, that searches for valid Win64, UNIX32 and DOS32 timestamps. If searched number as timestamp succeeds condition (ts>fts-3yrs) and (ts<=fts), where ts is tested timestamp and fts is loaded file LastModified timestamp. If value is REG_RESOURCE_LIST type, additional view is suported, that displays resource list for selected device key.
    Security Record Explorer
    Displays all security records used in registry. Usage counter, owner SID, group SID, list of affected keys and list of SACL and DACL is displayed for every record with flags and permissions enumerated.
    Spy & Analyze Tools
    SA Tools dig out and interpret some interesting (from forensic point of view) information from registry files. WRA contains following ones:
    UserAssist - Windows logs full run history with action type, run path and timestamp under key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. Items are encoded by ROT13.
    StreamMRU - Windows stores up to 28 entries containing View preferences for the desktop and windows that you open in a most-recently-used (MRU) list. When you close a window, the View preferences are written to subkeys with the names 0, 1, 2, and so on, located in the following registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams. The MRUList in the following registry key defines the order of the 28 entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU. When the desktop or one of the window is no longer included in the MRU list, the desktop or window uses the default settings the next time the desktop or window is redrawn or refreshed.
    When you make a change to the desktop or a window, the View preferences for the desktop or window are moved to the top of the MRU list. In this time, fully qualified filename and timestamps of MRU item is logged too. That item remains on the MRU list until it reaches the 28th spot. When an item reaches the 28th spot and another window is closed, the 28th item is removed from the MRU list.
    ShellBags - When you resize folder window, Windows saves all folder content into key HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags for Desktop and into HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags for other folders. In the same time folder path is logged into HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU. So from this info full folder listing can be reconstructed. This data can be found only in XP registry.
    ProgramsCache - Here's in key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage is stored value ProgramsCache. In this value seems to be logged StartMenu groups with links, their targets and icon resources. But I don't know under what condition info is logged. This info can be found only in NT registry.
    SAM - This tool enumerates all info about users and groups from loaded NT SAM registry hive file.
    Windows - Retrieves information about installed OS contained in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion respectivelly. It decodes ProductKey for NT based systems, reveals Install date, registering information, OS version etc.

    http://www.mitec.cz/wra.htm
Thread Status:
Not open for further replies.