Was The Windows Registry A Good Idea?
Current is a link to the key HKLM \SYSTEM\CurrentcontrolSet\Hardware Profiles\XXXX (Honeycutt, 2003, p. 30). HKLM contains per-computer (computer-specific) settings which apply to all users logging into that particular computer.
Thus, user can logon to a limited account for daily routines and uses elevated privileged for occasional administrative task. The secondary user SID (usually administrative account SID) will only present in the HKU subkeys if the user performs a secondary logon during the user’s session. If an offender performs a secondary logon on any other accounts, the secondary user subkey will exist in HKU until secondary user logoff, or the program running in the elevated privileged is closed.
Table 4 shows all HKLM subkeys (Honeycutt, 2003, p. 29). Any other subkeys in HKU are associated to secondary users. Windows XP has a feature called Secondary Logon, which allows user to run a program as a different user, usually with elevated privileged.
This vulnerability allows malware to hide malicious code in “autorun” entries such as the infamous HKLM\Software\Microsoft \Windows\CurrentVersion\Run. Any program or components specified in this key will be automatically run during system startup. Windows d3dx9_42.dll will still execute these hidden entries successfully at startup (Wesemann, 2005). Suspect may store text-based information using value type REG_BINARY. This technique however does not hide data, as tool like hex editors automatically interpret binary data into readable format (usually ASCII).
Auditing your registry can turn up telltale signs on malware infection. Here’s how to monitor the registry keys that matter using Microsoft’s Sysinternals Autoruns.
- You will see little or no difference between the Windows 98 and Windows 95 Registries.
- The organization is the same, and the Registry Editor is the same.
- Windows NT 4.0 stores the Registry in hives, whereas Windows 95 stores the Registry in two binary files.
- This is a backup copy of SYSTEM.DAT that Windows 98 made after you successfully installed and started Windows 98.
However, forensic examiner could still analyse the suspicious text at different intervals (e.g. even or odd characters position) and derive possible meaningful information from the incident context. HKCC is a symbolic link to current hardware profile configurations subkey, HKLM\SYSTEM \CurrentControlSet\Hardware Profiles\Current.
How Is The Registry Structured?
Using different encoding technique to store data, such as using Unicode instead of ASCII does not improve stealthiness, if suspect only uses common English characters. For instance ASNI ASCII for “pass” is 0x70 0x61 0x73 0x73. While Unicode (16-bit) encoding translate into 0x70 0x00 0x61 0x00 0x73 0x00 0x73 0x00 (Windows stores 16-bit characters in little-endian format). Examiner could easily find the word “pass” using tools that features text finding using different encoding format. Suspect may substitute the 0x00 with random binary numbers to improve stealthiness.
Practically everything you do in Windows is recorded in the registry. For instance, the URL for this article probably has an entry now, somewhere.