HKEY_CURRENT_USER, ...
 
Notifications
Clear all

HKEY_CURRENT_USER, when?

19 Posts
3 Users
0 Reactions
1,391 Views
 Add0
(@add0)
Trusted Member
Joined: 18 years ago
Posts: 71
Topic starter  

When is data such as RunMRU available from this key? does windows have to be running under a certain profile? I have an image of a suspect drive and in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ there is no "RunMRU".
Is it correct that upon shutdown data from HKCU is written to the users ntuser.dat file?
is there any way i can see this information with an aquired image?


   
Quote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

> When is data such as RunMRU available from this key?

The HKCU "key" is a hive. The values beneath the RunMRU key are available when the user clicks on Start, and types something into the Run box.

> Is it correct that upon shutdown data from HKCU is written to the users ntuser.dat file?

Yes, that's part of a clean shutdown.

> is there any way i can see this information with an aquired image?

No, and yes. As mentioned in my book, "Windows Forensic Analysis", the HKCU hive is volatile, which means that it exists and is available only when a user is logged into the system…hence the name, "current user". However, you can get the contents of this hive from an image by selecting the appropriate NTUSER.DAT file; ie, the one located in the user's profile directory.

HTH,

Harlan


   
ReplyQuote
 Add0
(@add0)
Trusted Member
Joined: 18 years ago
Posts: 71
Topic starter  

Thanks for that, you more or less confirmed what i thought,

OK so i'm viewing the ntuser.dat in FTK, what would the next step be? locate the RunMRU in hex?

Thanks


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

> …what would the next step be? locate the RunMRU in hex?

Sure, you can do that, or open the NTUSER.DAT file in RegEdit on your analysis system and navigate to the key that way (my book tells how to do this). Another method is to just use a Perl script to reach into the file and determine if the key exists, and if so, extract the data.


   
ReplyQuote
 Add0
(@add0)
Trusted Member
Joined: 18 years ago
Posts: 71
Topic starter  

> …what would the next step be? locate the RunMRU in hex?

Sure, you can do that, or open the NTUSER.DAT file in RegEdit on your analysis system and navigate to the key that way (my book tells how to do this).

Could you tell me now please? I havn't got time to learn this from your book just now.

Another method is to just use a Perl script to reach into the file and determine if the key exists, and if so, extract the data.

Do you know where i can get such a script?

Thanks


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

> Could you tell me now please? I havn't got time to learn this from your book just now.

You're kidding, right?

> Do you know where i can get such a script?

Yes, I have one…actually, several. However, I am not a development shop, and I have grown weary of providing scripts via email to folks who never respond with so much as a "I successfully received the script" and a "thank you". I mean, really…I put forth the effort to develop and test something for them, and sent it, and didn't receive so much as a "thanks". As such, I've opted to put my stuff either online (SourceForge) or provide them via my books.

Harlan


   
ReplyQuote
 Add0
(@add0)
Trusted Member
Joined: 18 years ago
Posts: 71
Topic starter  

> Could you tell me now please? I havn't got time to learn this from your book just now.

You're kidding, right?

Not at all, if i was in your position then i would be happy to help anyone on these forums even if it did mean they wouldn't give me some money right away. I was going to purchase your book before, just not today. Now however it seems very unlikely that i will. Perhaps you think i'm just saying that and its not the truth, but it is. You probably don't care, but nevermind.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

> if i was in your position then i would be happy to help anyone on these
> forums even if it did mean they wouldn't give me some money right away.

It's not a matter of getting "some money right away" at all…I've helped many in this forum and others with no expectation of payment whatsoever. It's a matter of constantly providing these things and not getting so much as a "thank you", even when the person asking could have done their own search and found the information themselves.

It's interesting to me that you went the "money" route right away, even though I made no mention of it whatsoever.

With regards to your purchasing my book…of course I care. I wrote it in order to answer questions such as yours, and, in fact, it does answer your specific question. Do I care that you've now decided not to purchase it? Of course I do. However, I still believe that the technical viability and information in the book speak for themselves.

Thanks,

Harlan


   
ReplyQuote
 Add0
(@add0)
Trusted Member
Joined: 18 years ago
Posts: 71
Topic starter  

I'm always very grateful for any help anyone gives me and i always let them know it. I realise that i could have researched this and found out for myself but i needed this information for a case i'm working on and i don't have much time left. It would have just helped me out thats all, i thought you wouldn't mind.
When i can i always do my own research, i enjoy doing it.
I didn't say i wouldn't buy your book…


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

> I didn't say i wouldn't buy your book…

A matter of semantics, perhaps…you said, "…it seems very unlikely that i will."


   
ReplyQuote
Page 1 / 2
Share: