I was able to figure out where the Windows desktop files are enumerated in the registry. The reason I was unable to "find" them originally was that the standard Microsoft registry editing tools do not search REG_BINARY values but a hex or text editor would translate to ASCII. I used regdat and was able to find the "directory" listing below in: HKCU .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desk top REG_BINARY Value = ViewView2 There is a similar value for the Taskbar in the same subkey. The filenames are separated by 17 bytes of binary. Bytes 9-6 in that order make up the DOS file date. Specifically, I have been testing using a Windows98 SE registry but on a cursory examination I see the same in my Windows 2000 registry. Michael Burnette Rogers & Hardin LLP Atlanta, GA -----Original Message----- From: Burnette, Michael Sent: Tuesday, April 23, 2002 4:08 PM To: forensicsat_private Subject: Desktop files enumerated in windows user.dat? Is anyone aware of what the file listing at the end of a Windows 98 User.dat is? When I open the file with a text editor I see the following (binary removed): ptsscreenshot1small.gif PTSSCR~1.GIF 108 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp 1 2 o * good wife's guide.jpg GOODWI~1.JPG 109 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp ( 2 * ATT00003.htm ATT00003.HTM 110 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp ) 2 t +i UW Outing.jpg UWOUTI~1.JPG 111 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp ( 2 t +i ~0022115.jpg ~0022115.JPG 112 O :i +00 #C:\ 1 ( n Windows 1 ( p Temp 7 2 -+ I looked at my own to compare and found the filenames in mine match my Windows 2000 desktop. The binary in-between the filenames look a lot like file attributes although I haven't yet been able to decode the raw file using a DOS or W32 file time interpreter (winhex). Notice also the incrementing decimal values. There are also entries for folders on the desktop. I'd be interested in knowing if anyone has a way to read this as a directory listing. Thanks, Michael Burnette Rogers & Hardin LLP Atlanta, GA USA This message and any attachments are intended for the use of the addressee(s) only and may be confidential and covered by the attorney/client and other privileges. If the reader is not the intended recipient, DO NOT READ, notify sender and delete this message. In addition, be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com This message and any attachments are intended for the use of the addressee(s) only and may be confidential and covered by the attorney/client and other privileges. If the reader is not the intended recipient, DO NOT READ, notify sender and delete this message. In addition, be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 09 2002 - 07:35:44 PDT