LastWrite time in t...
 
Notifications
Clear all

LastWrite time in the registry

17 Posts
8 Users
0 Likes
946 Views
(@sirius_black)
Posts: 4
New Member
Topic starter
 

Is there any way to deactivate the LastWrite time value for the registry keys ?

 
Posted : 12/08/2007 10:32 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I have yet to find either a public API for modifying the LastWrite time on Registry keys, or a setting that prevents this from being set.

Harlan

 
Posted : 13/08/2007 5:32 pm
cinux
(@cinux)
Posts: 21
Eminent Member
 

I have yet to find either a public API for modifying the LastWrite time on Registry keys, or a setting that prevents this from being set.

Harlan

Harlan,
Just wondering what is the easiest method to get last write time of keys in the registry.. i am sure that one of the scripts on the DVD with your book should do the job but I am still awaiting my copy of the book ). Is there any other freeware tool available? Till now I use Windows Registry Analyzer from Mitec but that is a little cumbersome way of doing things. i am actually lookng at a tool which could parse the registry and produce the output in an aexcel sheet for easy viewing. Any pointers would be appreciated.
Thanks!

 
Posted : 25/08/2007 11:21 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> Is there any other freeware tool available?

To my knowledge, no.

> i am actually lookng at a tool which could parse the registry and produce
> the output in an aexcel sheet for easy viewing.

Sorry, can't help you there…I usually write tools that extract just the values I'm looking for.

Harlan

 
Posted : 26/08/2007 4:02 pm
(@skelm)
Posts: 6
Active Member
 

Harlan,

I'd like to bring this thread to the top once again

I have yet to find either a public API for modifying the LastWrite time on Registry keys, or a setting that prevents this from being set.

Have you, or anyone else, an update on this one? I was wondering whether or not malware would be able to tamper with the LastWrite Times.

Cheers,
Stefan.

 
Posted : 01/07/2010 2:43 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

Check some of the stuff at the Anti-Forensics website.

 
Posted : 01/07/2010 8:31 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I was wondering whether or not malware would be able to tamper with the LastWrite Times.

Cheers,
Stefan.

Anything is possible when Administrator privileges are involved.

 
Posted : 02/07/2010 1:37 am
(@skelm)
Posts: 6
Active Member
 

Check some of the stuff at the Anti-Forensics website.

Thanks, Douglas, I already did that but didn't find anything related to Registry LastWrite Times.

Anything is possible when Administrator privileges are involved.

Awesome reply!

 
Posted : 02/07/2010 7:10 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

Well it seems like if there was enough testing (and admin priv!) you could somehow.

Last Access is possible via

fsutil behavior set disablelastaccess 1
Or gpedit and/or .msc stuff

Quick Google stumbled on this thread that has some stuff on MFT and API calls.
http//www.eggheadcafe.com/software/aspnet/36126451/mft-datasize-allocatedsize-and-lastwritetime-options.aspx

 
Posted : 02/07/2010 7:39 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Doug,

Great job pointing out the finding, but disabling updating of last access times on files has nothing to do with modifying LastWrite times on Registry keys.

skelm,

No, I haven't had any update on that. LastWrite times can be modified, albeit not directly. The GetFileTime/SetFileTime APIs allow anyone with write access to a file to modify file times ($STANDARD_INFORMATION attributes), but I still haven't found any similar APIs for Reg key LastWrite times.

To modify a key LastWrite time, all that a user needs to do is add, delete, or modify something (value or subkey) within the key.

Perhaps if you could provide some context to this issue, there might be some way to provide a more direct answer.

 
Posted : 02/07/2010 7:53 pm
Page 1 / 2
Share: