Fair comment Andy, incorrect term!
Cheers
Nick
Hi - (this data was posted under the 'Under the Hood' Topic currently running in the General Discussion area but we thought it was better suited to be posted here.)
A couple of you asked me to post my findings on changes made when Helix is 'booted'/run into the Windows side.
Following is the raw data which details the changes to the system when the Helix Windows side boots into the welcome screen, 'I agree' is selected and when the main menu appears Helix is closed via the 'file-exit' command. (Helix 1.7 used)
(No other programs are running except the core system drivers, e.g. no firewall, anti-virus etc)
I've been planning to work on this core data to publish the results with explanatory notes to the community.
When different functions/programs within Helix are used more reg keys are changed/added etc but that is alot more work which I haven't time to get around to.
Sorry it's such a long list!
Keys added 14
————–
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{7EBEFBC0-3200-11D2-B4C2-00A0C9697D07}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{C06FF265-AE09-48F0-812C-16753D7CBA83}\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#{2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#{2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\##?#Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{fb6c428a-0353-11d1-905f-0000c0cc16ba}\##?#USB#ROOT_HUB#4&467fdfe&1#{f18a0e88-c30c-11d0-8815-00a0c906beP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\v_YA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\S
Keys deleted 28
—————-
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}\I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{7EBEFBC0-3200-11D2-B4C2-00A0C9697D07}\v
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{C06FF265-AE09-48F0-812C-16753D7CBA83}\c
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\-
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{fb6c428a-0353-11d1-905f-0000c0cc16ba}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\D
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\MediaResources\msvideo\D
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\N
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\StillImage\Events\STIProxyEvent\N
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\STORAGE\M
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTP\Parameters\e
Values deleted 12
——————
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196} "DeviceInstance"
Type REG_SZ
Data USB\Vid_0573&Pid_4d22\5&39e0bbf6&0&1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL "SymbolicLink"
Type REG_SZ
Data \\?\USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\GLOBAL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\DeviceClasses\{6994ad05-93ef-11d0-a3cc-00a0c9223196}\\\##?#USB#Vid_0573&Pid_4d22#5&39e0bbf6&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\#GLOBAL\Device Parameters "FriendlyName"
Type REG_SZ
Data Hauppauge WinTV USB Pro (PAL I) t ????????????t ??????t ????????????t ????????t ????????????????@ ??? ????? ?
Values changed 1
—————–
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type REG_BINARY
New type REG_BINARY
Old data 54, 8F, 94, CE, 1E, 15, E0, EE, 2B, BC, DB, 1D, 05, F1, 1A, E2, B2, DD, B2, D3, 35, 66, 43, 9B, 01, C9, 4D, 0D, 6B, F8, 8B, 2E, 11, 14, 28, 6A, 7B, C5, 14, 93, 29, 3B, 51, 1A, 64, 95, B2, 02, 26, FA, 58, 9B, 9E, 3C, 3D, 46, F2, 41, 9F, 11, 17, 56, B3, D8, 56, 83, AC, 10, 58, 90, FE, 7C, 25, F7, 62, 86, 8C, 92, 78, 53
New data 81, 93, EF, AA, 07, BE, B6, 12, 4D, A0, 11, DA, DD, F8, E1, 1D, 91, 98, 70, B3, E0, 47, 8E, D4, F6, 8C, 8B, 5C, 86, 3A, 74, F6, 81, 86, D8, A0, 13, 09, 71, 7F, 4B, 50, 81, 3A, 78, 12, F6, F8, 3F, EC, CE, C3, C6, 44, D8, B8, 16, B0, 64, 0B, 75, 82, 32, 00, 90, 82, AE, 64, 2F, F7, 5E, ED, 5F, B9, 6C, BD, 62, 91, 48, 1D
Files changed 8
—————-
c\WINDOWS\Prefetch\HELIX.EXE-2AC0706C.pf
Old date 1/23/2006 923 PM
New date 1/23/2006 927 PM
Old size 65,744 bytes
New size 65,816 bytes
c\WINDOWS\system32\config\software.LOG
Old date 1/23/2006 923 PM
New date 1/23/2006 927 PM
Old size 1,024 bytes
New size 1,024 bytes
c\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 1,392,640 bytes
New size 1,392,640 bytes
c\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 728 bytes
New size 728 bytes
c\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 4 bytes
New size 4 bytes
c\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Old date 1/23/2006 925 PM
New date 1/23/2006 927 PM
Old size 3,568 bytes
New size 3,568 bytes
c\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 5,718,016 bytes
New size 5,718,016 bytes
c\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Old date 1/23/2006 926 PM
New date 1/23/2006 927 PM
Old size 2,840 bytes
New size 2,840 bytes
In the other topic Keydet 89 then posted -
'nick,
Interesting. I'd expect to see the update to c\WINDOWS\Prefetch\HELIX.EXE-2AC0706C.pf as well as some of the other file changes, but I find the deletion of the "..DeviceClasses\{6994ad05-93ef-11d0-…" key information to be…odd.
I'll have to try using Helix myself.
Harlan'
I posted in reply -
'Harlen,
I completely agree and almost didnt post it as I don't have explanations yet, but it happened on the 3 occasions I tested it so something is going on there. I need to test it on a clean Virtual Machine really as some keys specific to my system, such as refering to a USB TV box are being adjusted.
The Cyberspeak podcast had an interview with the Helix chap Drew Fahey on the 7th Jan I think it was, and they mentioned an email from a guy who was testing it and mentioned about 35 keys changed.
My plan is to test each aspect of the distro with all the effects each of the embedded tools makes to the system but I think my work is cut out just figuring out what happens at boot and close!
If you or anyone else has any time to take a look, many hands…'
I'd be interested in any comments.
Nick
Here's something I'd suggest…running InControl5 for the testing is great, but run RegMon and FileMon from SysInternals along side it. That way, you can filter on the particular key, and determine which application/process made the modifications.
Remember…for a while, many of the A/V companies have been reporting that malware modified the MUICache key, when in fact, it was the shell that modified the key because the malware was run.
Another thing to do is use tools like Dependency Walker or pedump/peview to see which API functions the Helix app imports. If functions are imported to modify Registy keys, then maybe we should go back to Drew and ask him for some documentation.
I'm willing to be that maybe it's not the Helix app that modifying the key.
Harlan
FYI I posted somewhat similar findings here
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=636
It's not very reassuring that there are such differences.
I think your results were based on running FRED weren't they, rather than just the startup and shutdown proceedure of the Helix 1.7 interface?
We need a nice academic type with research people with some spare time )
Nick
Yes, however I get different results from FRED each time –on clean virtual machines.
If my criminal investigation course wasn't getting in the way I'd have more time to devote )
Why doesn't everyone just take a piece of the HELIX cd and test it? I can continue working on the FRED script, but I don't think there is any way I could test the entire windows cd.
Hi, see what you are saying, yes I get the same issue on the startup, I tried it 3 times with slightly different results. However my tests were not on a clean VM which is the next step.
I will continue with the startup and shutdown process and see what I can find.
Look forward to seeing your FRED results.
Anyone else fancy taking a part?
> Anyone else fancy taking a part?
Sure…in what, though? I don't see anything documented. I see mention of a "clean VM machine", and FRED, but to be honest, all it looks like is that you guys are running InControl5, and that's it. But like I said, I don't see anything documented…no methodology, nothing.
I also see things like "I tried it 3 times…" with no results posted.
So…what are you asking us to take part in?
Harlan
You do have your caustic days don't you Harlen )
Yes Inctrl has been used, great, good tool, but nothing without interpretation. We have already had this conversation that the time to interpret and annotate what is happening is extremely limited to most of us, certainly me at the moment. Hence, and I'm sure Hogfly will agree, I was asking if anyone in the community would like to pick up the flag and spend some time looking at the distro too. I thought that was obvious and apologise if I was not clear.
No there is no process published, I didnt post all 3 attempts as they mean nothing, would you like me to post the 8600 events logged by regmon over the same process? Of course not, because anyone can generate the same logs and there is little point without work filtering the meaningful entries.
The original posting from myself and I'm sure from Hogfly was to demonstrate that there is alot going on when Helix (Windows side) is being used, great, big deal, now time needs to be spent getting 'under the hood' as you describe it.
So my appeal was not to join some scientific, process led study but to see if anyone else has time to analyse it in more detail.