HKLM\Security\Policy\Secrets\L$RTMTIMEBOMB

I was checking the secret registry keys with a registry editor (regedit.exe will not show this kind of information). I found this line:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

A Google search showed only one German site with a brief comment on it. Comment was that it was part of Windows, not to worry. But the Microsoft site has nothing on it.

Would anyone care to shed more light? Why would Microsoft choose such an alarming name?

 

Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

The C:\Windows\repair folder contains the registry as it was when you first booted into a new install of XP. If you open the "security" file, that key is not there. Given its name, my guess is that it is added at some point during the product activation process.

Nick

 

Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

Thanks for your reply, Nick. True, c:\windows\repair\security.inf seems to date from the time my computer was set up for shipment to me. The timebomb string is not there. So it might have been added after the original Windows XP setup.

I did not mention that there is an alpha-numeric string after timebomb. The aforementioned forum site posting had the same string too. So at least 2 people in the world have had the same full key.

But the question remains: what put that key in the registry and what does the key mean?

 

Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

Although Google could only find 1 place where this key was reported, I suspect more people may have that key in their registries. It's just that they don't have an editor capable of reading what's under HKLM\SECURITY or they did not check that part of the registry out.

The editor I used is one I am currently trying: "Resplendent Registrar" from a Dutch site, www.resplendence.com. I am sure there are many other editors capable of that feat, but the 2 provided with Windows XP cannot read it. The freeware editor also found at that site cannot either. Only the commercial version could.

Nick: another thought. Just because you and I could not find that string from security.inf does not mean that it was not part of the original registry. Microsoft seemed quite intent on keeping that part of the registry out of sight, so it may have made sure that an easily readable .inf file does not give secrets out. It would have been too easy.

 

Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

I have the same string on three different XP systems.

Nick

 

Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

Just wanted to mention that REGEDIT can in fact read the keys of which you write. However, REGEDIT observes the ACL style permissions that windows has applied to the registry. To see these keys (and SAM, for example) create a special admin account and grant it permissions to those keys that are currently invisible. I urge you NOT to grant such permissions within a regular user account, as it will expose sensitive data unecessarily.

 

Thanks, Spellman. I did not know that.

 

I'm using Advanced Windows Password Recovery and I found the same string in the NT secrets section: RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588. I don't know much about Windows security. Should I be worried?

 

I have a feeling that it may be a counter for activation. If you don't activate by some time (possibly as indicated by the string value) then the timebomb goes off and you can no longer use Windows. That seems to be the most logical reason for such a key name.

 

I just stumbled onto the following entry from Cain's LSA Secrets dumper:

L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588

80 D7 FF 59 74 C7 C5 01 ...Yt...

and as I was searching for any answers I came across this thread, so I had some hopes someone might have made some progress seeing how this gets entered!

 

L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588 is exactly the value I see in LSA secrets.

 

After taking permissisions I have those keys present as well.If you look at several of the above keys they all have the same sub keys.

Can anyone tell what they are about.