Does Windows immedi...
 
Notifications
Clear all

Does Windows immediately write a Registry hive when it is modified by a user or a program?

Skywalker
(@skywalker)
Active Member

I'm analyzing a DD's journal file ($LogFile) and I doubt if the hives are immediately written to the secondary storage (the hard drive), when a key is modified, or if the new values remains for an indeterminate time in the main storage (RAM) before being written. If this is the case, when does Windows write the hives?

 

Thanks!!

Quote
Topic starter Posted : 16/08/2021 2:05 am
athulin
(@athulin)
Community Legend

The Microsoft documentation of the registry and registry related functionality (especially see RegFlushKey documenation) will give you a lot of information. I believe most of is collected in Jerry Honeycutt's book about the registry (except for changes made after it was published, of course).

Alternatively, try

https://superuser.com/questions/1331407/when-does-windows-write-registry-changes-to-disk

ReplyQuote
Posted : 16/08/2021 7:16 am
Skywalker
(@skywalker)
Active Member

@athulin Thanks four your answer, it's very useful information, O will study it slowly. So, the question here is, according to a first view of the articles and the forum, it seems that if pagefile.sys hiberfil.sys could be tampered before/at Windows starting, the values stored for the registry in these files but not saved yet to the registry files as such, would be taken by Windows (W7). Is that correct?

 

Thanks!!

This post was modified 1 month ago by Skywalker
ReplyQuote
Topic starter Posted : 18/08/2021 9:27 pm
JimC
 JimC
(@jimc)
Member

I believe that the Windows registry is implemented using memory mapped files (and the Windows NT cache manager). This means that changes to the registry would initially be made in memory and then flushed to disk when the cache manager was ready. If you want to know more I would suggest having a look at Solomon+Russinovich's Windows Internals book or posting a question in the more specific OSR forums . If anyone can explain it - you will find them there.

The following academic paper may also be useful: Forensic analysis of the Windows registry in memory. Finally, Russinovich also wrote this article on the subject: Inside the Registry

Jim

www.binarymarkup.com

ReplyQuote
Posted : 19/08/2021 12:06 am
athulin
(@athulin)
Community Legend

@skywalker Your question can probably only be answered well by someone who has analyzed 'tamperability' and the files you mentioned in some depth: I haven't. This is also an area where changes are likely to have been made in response to malware and such, and so an analysis of identified vulnerabilities, as well as patches since any such tamperability examination may be needed. I can imagine, for example, that some form of digital signing or encryption of critical data might be present (at least on systems with TPM, I suspect this could be included in the Measured Boot functionality, though I don't know if it actually is.)  It should not be difficult to find if gross changes to sensitive files is discovered or not, though.

This post was modified 1 month ago by athulin
ReplyQuote
Posted : 19/08/2021 7:19 am
Skywalker
(@skywalker)
Active Member

Thank you everybody for your answers, I appreciate them.

ReplyQuote
Topic starter Posted : 25/08/2021 11:35 pm
Alicia_Haag
(@alicia_haag)
New Member
Posted by: @jimc

I believe that the Windows registry is implemented using memory mapped files (and the Windows NT cache manager). This means that changes to the registry would initially be made in memory and then flushed to disk when the cache manager was ready. If you want to know more I would suggest having a look at Solomon+Russinovich's Windows Internals book or posting a question in the more specific OSR forums . If anyone can explain it - you will find them there.

The following academic paper may also be useful: Forensic analysis of the Windows registry in memory. Finally, Russinovich also wrote this article on the subject: Inside the Registry

Jim

www.binarymarkup.com

At first I also asked this question, so I visited this forum thread. But I came across your comment and I want to say thank you for this useful material. I just started reading, but I was already involved.

Best regards, Alicia, time tracking software

ReplyQuote
Posted : 09/09/2021 11:01 am
Share: