Registry Forensics

Prepared ByPrepared By::SOMESH SAWHNEYSOMESH SAWHNEY

MOMENTUM INFOCARE PVT. LTD.MOMENTUM INFOCARE PVT. LTD.

Registry Definition• The Microsoft Computer Dictionary defines the

registry as:– A central hierarchical database used in the Microsoft

Windows family of Operating Systems to store information necessary to configure the system for one or more users, applications and hardware devices.

– The registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system and the ports that are being used.

What is the Registry?• Windows Registry is a central database in Windows. The database contains most of the "pointers" and "settings" for Windows, programs, hardware and users. Pointers tell Windows or programs where to find the resources required to perform specific actions.

•Just about any setting that you change -- either in Windows or a program – changes the registry. There are some notable exceptions. Firefox, Thunderbird and many other "wiser" programs avoid the Registry entirely by saving settings, etc. in their own file folders.

• Almost any time you are using your PC there are a swarm of things going on behind the scenes in the Registry, almost like bees around a hive. (In fact, that’s why the major elements of the Registry are called hives.) You can observe these with Regmon.

Why We Need Registry?•The System Registry is also where malware "registers" itself to run on the system, or makes other modifications that can have a critical impact on the functioning of your PC.

•Thus, familiarizing yourself with the System Registry is not just a good way to tweak your PC, it's essential if you wish to be able to manually defend it.

Registry: A Wealth of InformationInformation that can be recovered include:

• System Configuration• Devices on the System• User Names• Personal Settings and Browser Preferences• Web Browsing Activity• Programs Executed• Files Opened

How It Looks Like ? Top tier items are folders known as keys which, when expanded, display various second tier items, also known as keys. Additional third-tier keys may also be contained within second tier keys, etc

In other words, just as Windows has folders and subfolders, the registry has keys and subkeys. Within those keys are values.

To see the values a particular key contains, you first select (highlight) the key in the left pane, and the value(s) will appear in the right pane.

Registry Organization• Root Keys

– HKEY_CLASSES_ROOT (HKCR) • Contains information in order that the correct program opens

when executing a file with Windows Explorer.– HKEY_CURRENT_USER (HKCU)

• Contains the profile (settings, etc) about the user that is logged in.

– HKEY_LOCAL_MACHINE (HKLM) • Contains system-wide hardware settings and configuration

information.– HKEY_USERS (HKU)

• Contains the root of all user profiles that exist on the system.• Contains computer-specific information about the type of hardware

installed, software settings, and other information. This information is used for all users who log on to this computer.

• Contains information about all the users who log on to the computer, including both generic and user-specific information. The generic settings are available to all users who log on to the computer. The information is made up of default settings for applications, desktop configurations, and so

– HKEY_CURRENT_CONFIG (HKCC)• Contains information about the hardware profile used by the

computer during start up.

Backing up the Windows registry

Microsoft Windows includes a new feature known as system restore. This great new feature enables a user to backup and restore their important system files from an earlier day.

By default this feature automatically creates a backup of the system each day. If you wish to create a restore point of your system follow the below steps.

Click Start, Programs, Accessories, System Tools, System Restore

Select the option to Create a restore point

Click next and follow the remainder steps.

Five primary data types in a Registry.Here are the five primary data types in a Registry.

REG_SZ (string value) -- numbers and text

REG_MULTI_SZ (string array value) -- numbers and text you can edit but not create

REG_EXPAND_SZ (expanded string value) -- usually points to the location of files

REG_BINARY (binary values) -- binary data

REG_DWORD (DWORD values) -- a hexadecimal data type

How to disable USB storage devices from a computers in the network.

Go to -: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start

And set its value to 3-(Enable) , 4 (Disable)

It only works if the USB storage driver is already installed.

If it has not yet been installed, Windows' plug & play subsystem automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in for the first time.

Disable Internet Access (All Windows)

Open your registry and find the key below. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

Change the value of "ProxyEnable" and set it to "1". Change the value of "ProxyServer" and set it to an IP address and port that is invalid on your network such as "10.0.0.1:5555" (i.e. "IP:Port").

By changing these settings Internet access will be disabled for any applications that rely of the Microsoft proxy server information such as Internet Explorer, Microsoft Office, Opera browser.

To stop users from modifying the proxy settings add these restrictions to disable changes to the Internet configuration.

Find or create the key below:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]

Create two DWORD values named "Connection Settings" and "Connwiz Admin Lock" and set them both to "1".

To remove the restriction, set the proxy settings back to their original values and delete the policy values.

Restrict Applications Users Can Run (All Windows)

Open your registry and find the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer] Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.

Then create a new sub-key called [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\RestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed (e.g. "regedit.exe").

Restart Windows for the changes to take effect.

THANKS A LOT FOR YOUR

CO-OPERATION