Does Windows immedi...
 
Notifications
Clear all

Does Windows immediately write a Registry hive when it is modified by a user or a program?

7 Posts
4 Users
0 Reactions
2,818 Views
(@skywalker)
Reputable Member
Joined: 11 years ago
Posts: 150
Topic starter  

I'm analyzing a DD's journal file ($LogFile) and I doubt if the hives are immediately written to the secondary storage (the hard drive), when a key is modified, or if the new values remains for an indeterminate time in the main storage (RAM) before being written. If this is the case, when does Windows write the hives?

 

Thanks!!


   
Quote
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
 

The Microsoft documentation of the registry and registry related functionality (especially see RegFlushKey documenation) will give you a lot of information. I believe most of is collected in Jerry Honeycutt's book about the registry (except for changes made after it was published, of course).

Alternatively, try

https://superuser.com/questions/1331407/when-does-windows-write-registry-changes-to-disk


   
ReplyQuote
(@skywalker)
Reputable Member
Joined: 11 years ago
Posts: 150
Topic starter  

@athulin Thanks four your answer, it's very useful information, O will study it slowly. So, the question here is, according to a first view of the articles and the forum, it seems that if pagefile.sys hiberfil.sys could be tampered before/at Windows starting, the values stored for the registry in these files but not saved yet to the registry files as such, would be taken by Windows (W7). Is that correct?

 

Thanks!!

This post was modified 4 years ago by Skywalker

   
ReplyQuote
JimC
 JimC
(@jimc)
Estimable Member
Joined: 9 years ago
Posts: 86
 

I believe that the Windows registry is implemented using memory mapped files (and the Windows NT cache manager). This means that changes to the registry would initially be made in memory and then flushed to disk when the cache manager was ready. If you want to know more I would suggest having a look at Solomon+Russinovich's Windows Internals book or posting a question in the more specific OSR forums . If anyone can explain it - you will find them there.

The following academic paper may also be useful: Forensic analysis of the Windows registry in memory. Finally, Russinovich also wrote this article on the subject: Inside the Registry

Jim

www.binarymarkup.com


   
ReplyQuote
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
 

@skywalker Your question can probably only be answered well by someone who has analyzed 'tamperability' and the files you mentioned in some depth: I haven't. This is also an area where changes are likely to have been made in response to malware and such, and so an analysis of identified vulnerabilities, as well as patches since any such tamperability examination may be needed. I can imagine, for example, that some form of digital signing or encryption of critical data might be present (at least on systems with TPM, I suspect this could be included in the Measured Boot functionality, though I don't know if it actually is.)  It should not be difficult to find if gross changes to sensitive files is discovered or not, though.


   
ReplyQuote
(@skywalker)
Reputable Member
Joined: 11 years ago
Posts: 150
Topic starter  

Thank you everybody for your answers, I appreciate them.


   
ReplyQuote
(@alicia_haag)
New Member
Joined: 4 years ago
Posts: 1
 
Posted by: @jimc

I believe that the Windows registry is implemented using memory mapped files (and the Windows NT cache manager). This means that changes to the registry would initially be made in memory and then flushed to disk when the cache manager was ready. If you want to know more I would suggest having a look at Solomon+Russinovich's Windows Internals book or posting a question in the more specific OSR forums . If anyone can explain it - you will find them there.

The following academic paper may also be useful: Forensic analysis of the Windows registry in memory. Finally, Russinovich also wrote this article on the subject: Inside the Registry

Jim

www.binarymarkup.com

At first I also asked this question, so I visited this forum thread. But I came across your comment and I want to say thank you for this useful material. I just started reading, but I was already involved.

Best regards, Alicia, time tracking software


   
ReplyQuote
Share: