I'm analyzing a DD's journal file ($LogFile) and I doubt if the hives are immediately written to the secondary storage (the hard drive), when a key is modified, or if the new values remains for an indeterminate time in the main storage (RAM) before being written. If this is the case, when does Windows write the hives?
Â
Thanks!!
The Microsoft documentation of the registry and registry related functionality (especially see RegFlushKey documenation) will give you a lot of information. I believe most of is collected in Jerry Honeycutt's book about the registry (except for changes made after it was published, of course).
Alternatively, try
https://superuser.com/questions/1331407/when-does-windows-write-registry-changes-to-disk
@athulin Thanks four your answer, it's very useful information, O will study it slowly. So, the question here is, according to a first view of the articles and the forum, it seems that if pagefile.sys hiberfil.sys could be tampered before/at Windows starting, the values stored for the registry in these files but not saved yet to the registry files as such, would be taken by Windows (W7). Is that correct?
Â
Thanks!!
I believe that the Windows registry is implemented using memory mapped files (and the Windows NT cache manager). This means that changes to the registry would initially be made in memory and then flushed to disk when the cache manager was ready. If you want to know more I would suggest having a look at Solomon+Russinovich's Windows Internals book or posting a question in the more specific OSR forums . If anyone can explain it - you will find them there.
The following academic paper may also be useful: Forensic analysis of the Windows registry in memory. Finally, Russinovich also wrote this article on the subject: Inside the Registry
Jim
www.binarymarkup.com
@skywalker Your question can probably only be answered well by someone who has analyzed 'tamperability' and the files you mentioned in some depth: I haven't. This is also an area where changes are likely to have been made in response to malware and such, and so an analysis of identified vulnerabilities, as well as patches since any such tamperability examination may be needed. I can imagine, for example, that some form of digital signing or encryption of critical data might be present (at least on systems with TPM, I suspect this could be included in the Measured Boot functionality, though I don't know if it actually is.)Â It should not be difficult to find if gross changes to sensitive files is discovered or not, though.
Thank you everybody for your answers, I appreciate them.
I believe that the Windows registry is implemented using memory mapped files (and the Windows NT cache manager). This means that changes to the registry would initially be made in memory and then flushed to disk when the cache manager was ready. If you want to know more I would suggest having a look at Solomon+Russinovich's Windows Internals book or posting a question in the more specific OSR forums . If anyone can explain it - you will find them there.
The following academic paper may also be useful: Forensic analysis of the Windows registry in memory. Finally, Russinovich also wrote this article on the subject: Inside the Registry
Jim
www.binarymarkup.com
At first I also asked this question, so I visited this forum thread. But I came across your comment and I want to say thank you for this useful material. I just started reading, but I was already involved.
Best regards, Alicia, time tracking software
