RE: Registry Key LastWrite times

From: Vladimir Kraljevic (vladimir_kraljevicat_private)
Date: Fri Jun 01 2001 - 01:02:10 PDT

Next message: Ivan: "closure "Help any MAC users!""

Next in thread: Frank Heyne: "RE: Registry Key LastWrite times"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Tan Sze,

Every registry key (unfortunately, not every registry value) at least on NT
has an time stamp. Parameter 11 of API function RegQueryInfoKey, (the
function that retrieves number of sub keys, longest name length etc.,
implemented on Win95/NT as UNICODE and ANSI) is TIMESTAMP structure, thus
you can retrieve last write time without problems.

I used to write one dump program for myself (that explores some interesting
undocumented structures with a hell lot of data for forensics :), thus
anyone who is interested can get it from me, I'm not sending it here in the
list.

Best,
Vladimir


C:\>-----Original Message-----
C:\>From: Tan Sze Yan [mailto:tszeyanat_private]
C:\>Sent: Thursday, May 31, 2001 7:35 AM
C:\>To: forensicsat_private
C:\>Cc: fhat_private-dresden.de
C:\>Subject: Re: Registry Key LastWrite times
C:\>
C:\>
C:\>This is interesting. If I got the message correctly, you
C:\>actually meant
C:\>that every registry key (such as
C:\>HKLM/SYSTEM/CurrentControlSet/Control/PriorityControl) has
C:\>a timestamp
C:\>(for last write), not just each registry hive (such as HKLM
C:\>or HKCU).
C:\>How can we find out this "last write time" of each registry
C:\>key value?
C:\>Are there any programs for this purpose? Or which system
C:\>calls can be
C:\>used?
C:\>
C:\>Thanks.
C:\>
C:\>Frank Heyne wrote:
C:\>>
C:\>> On 30 May 2001, at 6:27, VanMeter, John wrote:
C:\>>
C:\>> > What subkeys under HKLM and HKCU contains this gold
C:\>mine of information?
C:\>>
C:\>> Similiar to every file, *every* Registry key has a time
C:\>stamp as well. The
C:\>> difference is that a Registry key only contains one time
C:\>stamp (last write).
C:\>> So you only can read the time when the *last* value under
C:\>any key was
C:\>> changed, nothing more. It does work only under Win NTx, not Win9x
C:\>>
C:\>> Frank Heyne
C:\>
C:\>--
C:\>Tan Sze Yan		| Computer Security Lab
C:\>Research Engineer	| DSO National Laboratories
C:\>Tel: (65)7727379 	| 20 Science Park Drive
C:\>Fax: (65)7755943 	| Singapore 118230
C:\>

Next message: Ivan: "closure "Help any MAC users!""
Next in thread: Frank Heyne: "RE: Registry Key LastWrite times"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 13:52:51 PDT