![]() ![]() When I was trying to determine where user information was kept within the Registry, I found that by running RegMon while executing the net user command I could determine which keys and values were accessed when retrieving user information, as Figure 4.4 illustrates.įigure 4.4 shows an excerpt of the RegMon output used to monitor the net user command. The HTML output is usually enough for my purposes, and I can clearly see the Registry keys (and files) that were added, modified, or deleted during the process.Īnother way to discover useful or important keys is to use RegMon from Microsoft (RegMon is available from, but is also included as part of Microsoft’s Process Explorer utility) to monitor the Registry in real time. I generally tend to run InControl5 in two-phase mode, where I open the application, have it snapshot my system, do whatever I’m going to do (install a peer-to-peer file-sharing application or some bit of malware), and then open InControl5 again and have it complete the process. InControl5 is a great utility for doing all kinds of analysis. The developer charges a small fee to download the tool, and the license agreement specifically forbids redistributing the software. Inctrl5 is available from however, it is not a free download. One particular tool that is useful for this task is InControl5, referred to by PC Magazine (distributor of the application) as "Inctrl5". ![]() So, how do you go about determining Registry keys and values that are important to you? One way is to snapshot the Registry, perform an atomic action (i.e., do just one thing), snapshot the Registry again, and compare the two snapshots for differences. Shortly after this topic goes to print, is published, and is ready for purchase, you can be sure that a new application will be available that records configuration and setting information in the Registry. In some cases, Registry keys that are created during installation or are modified during use may change between versions of a particular application. ![]() However, this is not a be-all and end-all solution, because there simply isn’t one. ![]() A spreadsheet containing many of the keys that I and others find useful during various types of investigations is included in the ch4 directory on the accompanying media. There is really no single, consolidated resource of Registry keys that will be useful in any particular situation. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |