Windows Registry & Hiding Suspect's Secret in Registry: Vidya Pratisthan's College of Engineering, Baramati
Windows Registry & Hiding Suspect's Secret in Registry: Vidya Pratisthan's College of Engineering, Baramati
Windows Registry & Hiding Suspect's Secret in Registry: Vidya Pratisthan's College of Engineering, Baramati
Baramati
Windows
Registry &
Hiding Suspect’s
Secret in
Registry Presented by
Vibhav Bhosale
(TE. Information Technology)
Roll No:103308
Under the guidance of
Prof. K. S. Bhagwat.
Contents
Introduction
Structure of Windows Registry
Computer forensic.
Forensic –related registry keys.
Consideration for hiding data in registry as Suspect’s
viewpoint.
Proposed authentication system.
Concluding Remarks.
Introduction
The Windows registry is often a topic most people shy away from.
They view the registry as some black box that you can not tamper with,
or seem to think that it's written in some language no mortal could ever
understand.
In truth, the registry is very simple. While it may be hard or even
impossible to figure out what some keys mean, the registry in it's self is
very simple. It is not a mess of configurations with no order. Most
settings are placed in a logical location. If you know how the registry
works, you can quickly find what you want.
Programs that can be use to edit the
Registry
Windows comes with one to three different registry editing
tools for you to use:
1. RegEdit
2. Regedit32
3. Reg
What is the Registry?
• The registry is nothing more then a central place to store all
settings on the computer. While a program doesn't have to store
any data in the registry, it's free to if it likes. It's like the
configuration files for Linux and Unix, but rather then being
stored in folders, it's stored in hives, a folder-like structure.
• The registry is implemented by the Configuration Manager
part of the Windows Kernel.
What are the Registry keys?
When opening the registry in RegEdit, you are presented with
5 keys, or hives. The five keys are:
1. HKey_Classes_Root (HKCR)
2. HKey_Current_User (HKCU)
3. HKey_Local_Machine (HKLM)
4. HKey_Users (HKU)
5. HKey_Current_Config (HKCC)
6. HKEY_DYN_DATA (HKDD) (Win9x Only)
What are Keys? Hives? Values?
• REG_BINARY
• REG_DWORD
• REG_EXPAND_SZ
• REG_MULTI_SZ
• REG_SZ
• REG_QWORD
• REG_BINARY Raw binary data. Most hardware component
information is stored as binary data and is displayed in
Registry Editor in hexadecimal format.
• REG_DWORD Data represented by a number that is 4 bytes
long (a 32-bit integer).
• REG_EXPAND_SZ A variable-length data string. This data
type includes variables that are resolved when a program or
service uses the data.
• REG_MULTI_SZ A multiple string. Values that contain lists or
multiple values in a form that people can read are generally
this type. Entries are separated by spaces, commas, or other
marks.
• REG_SZ A fixed-length text string.
• REG_QWORD Data represented by a number that is a 64-bit
integer. This data is displayed in Registry Editor as a Binary
Value and was first introduced in Windows 2000.
What is Group Policy?
• Group policy It's meant to change settings on hundreds, or
thousands of computers at once.
• In a Windows Active Directory network, you have what's
called OU's. They're basically folders, and the network
administrators can put computers and users into these OU's.
For example, maybe you’re in the Sales\Users OU.
Preference or Policy? What’s the
difference?
• Group policy can be divided into two sections, a setting may
be a preference, or it may be a policy.
• A preference is a default setting. When a user is logged on, the
preference stored in group policy is applied. However, the user
has full control over changing the settings.
• The difference between the two is simple as permissions: a
user has control over his or her registry key in a preference, but
only have read permission to the registry with a policy.
Differences Between Group Policy &
Registry
• Group policy isn't really meant to change settings on a
single computer.
• Group policy is used to ease the change of many registry
settings on a Windows computer. This is generally only done
on windows 2000, XP, and 2003 or newer machines.
How does software use the registry?
• Software can store it's settings in one of two areas,
HKey_Current_User, or HKey_Local_Machine. If it's in
current user, it's a per-user setting, while local machine stores
settings for all users. HKCU\Software and HKLM\Software
is the default key for this information. HKCU settings
override conflicting HKLM settings.
How can I restrict access to the
registry?
• To disable registry tools, such as regedit and regedt32,
• (HKCU|
HKLM)\Software\Microsoft\Windows\CurrentVersion\Policies
\System and add the key DisableRegistryTools with a
REG_DWORD value of 1. On many systems, you will have to
create the system sub key. These policies will in general
require you to reboot to take effect.
How can I access another computers
registry?
• Remotely accessing a registry is almost the same as any
other remote administrative task.
• Open regedit, then file->connect network registry... key.
• Like other networking tools, you need rights on the other
machine. If you are on a domain, then your domain account
needs to be mapped to an administrative group, or if not on a
domain, you need to have the same username\password as an
account on the target. Otherwise you're asked for a
username\password with the permissions.
Registry Tattooing: What is it?
• Registry Tattooing is one of the issues you face when using
group policy to change the registry.
• If the group policy makes a new key in the registry, when you
remove the policy, it does not remove the new key.
• Also, if you change a setting via group policy, removing the
setting does not revert the setting to what it once was. This
process is called tattooing, and can cause unforeseen problems.
Some Useful Tweaks
• Changing Start button text
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\
CurrentVersion\Winlogon]
"Shell"="Explorer.exe“
Any Query?