HKLM\Security\Policy\Secrets\L$RTMTIMEBOMB

Discussion in 'other security issues & news' started by Pigitus, Aug 31, 2004.

Thread Status:
Not open for further replies.
  1. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    I was checking the secret registry keys with a registry editor (regedit.exe will not show this kind of information). I found this line:

    HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

    A Google search showed only one German site with a brief comment on it. Comment was that it was part of Windows, not to worry. But the Microsoft site has nothing on it.

    Would anyone care to shed more light? Why would Microsoft choose such an alarming name?
     
    Last edited by a moderator: Sep 1, 2004
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

    The C:\Windows\repair folder contains the registry as it was when you first booted into a new install of XP. If you open the "security" file, that key is not there. Given its name, my guess is that it is added at some point during the product activation process.

    Nick
     

    Attached Files:

  3. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

    Thanks for your reply, Nick. True, c:\windows\repair\security.inf seems to date from the time my computer was set up for shipment to me. The timebomb string is not there. So it might have been added after the original Windows XP setup.

    I did not mention that there is an alpha-numeric string after timebomb. The aforementioned forum site posting had the same string too. So at least 2 people in the world have had the same full key.

    But the question remains: what put that key in the registry and what does the key mean?
     
  4. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

    Although Google could only find 1 place where this key was reported, I suspect more people may have that key in their registries. It's just that they don't have an editor capable of reading what's under HKLM\SECURITY or they did not check that part of the registry out.

    The editor I used is one I am currently trying: "Resplendent Registrar" from a Dutch site, www.resplendence.com. I am sure there are many other editors capable of that feat, but the 2 provided with Windows XP cannot read it. The freeware editor also found at that site cannot either. Only the commercial version could.

    Nick: another thought. Just because you and I could not find that string from security.inf does not mean that it was not part of the original registry. Microsoft seemed quite intent on keeping that part of the registry out of sight, so it may have made sure that an easily readable .inf file does not give secrets out. It would have been too easy.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

    I have the same string on three different XP systems.

    Nick
     
  6. spellman

    spellman Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    1
    Re: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\L$RTMTIMEBOMB

    Just wanted to mention that REGEDIT can in fact read the keys of which you write. However, REGEDIT observes the ACL style permissions that windows has applied to the registry. To see these keys (and SAM, for example) create a special admin account and grant it permissions to those keys that are currently invisible. I urge you NOT to grant such permissions within a regular user account, as it will expose sensitive data unecessarily.
     
  7. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Thanks, Spellman. I did not know that.
     
  8. EnsignRickey

    EnsignRickey Guest

    I'm using Advanced Windows Password Recovery and I found the same string in the NT secrets section: RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588. I don't know much about Windows security. Should I be worried?
     
  9. LoveMutt

    LoveMutt Guest

    I have a feeling that it may be a counter for activation. If you don't activate by some time (possibly as indicated by the string value) then the timebomb goes off and you can no longer use Windows. That seems to be the most logical reason for such a key name.
     
  10. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    I just stumbled onto the following entry from Cain's LSA Secrets dumper:

    L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588

    80 D7 FF 59 74 C7 C5 01 ...Yt...

    and as I was searching for any answers I came across this thread, so I had some hopes someone might have made some progress seeing how this gets entered!
     
  11. foo

    foo Guest

    L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588 is exactly the value I see in LSA secrets.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    After taking permissisions I have those keys present as well.If you look at several of the above keys they all have the same sub keys.

    Can anyone tell what they are about.
     
Thread Status:
Not open for further replies.