Is there any way to deactivate the LastWrite time value for the registry keys ?
I have yet to find either a public API for modifying the LastWrite time on Registry keys, or a setting that prevents this from being set.
Harlan
I have yet to find either a public API for modifying the LastWrite time on Registry keys, or a setting that prevents this from being set.
Harlan
Harlan,
Just wondering what is the easiest method to get last write time of keys in the registry.. i am sure that one of the scripts on the DVD with your book should do the job but I am still awaiting my copy of the book ). Is there any other freeware tool available? Till now I use Windows Registry Analyzer from Mitec but that is a little cumbersome way of doing things. i am actually lookng at a tool which could parse the registry and produce the output in an aexcel sheet for easy viewing. Any pointers would be appreciated.
Thanks!
> Is there any other freeware tool available?
To my knowledge, no.
> i am actually lookng at a tool which could parse the registry and produce
> the output in an aexcel sheet for easy viewing.
Sorry, can't help you there…I usually write tools that extract just the values I'm looking for.
Harlan
Harlan,
I'd like to bring this thread to the top once again
I have yet to find either a public API for modifying the LastWrite time on Registry keys, or a setting that prevents this from being set.
Have you, or anyone else, an update on this one? I was wondering whether or not malware would be able to tamper with the LastWrite Times.
Cheers,
Stefan.
Check some of the stuff at the Anti-Forensics website.
I was wondering whether or not malware would be able to tamper with the LastWrite Times.
Cheers,
Stefan.
Anything is possible when Administrator privileges are involved.
Check some of the stuff at the Anti-Forensics website.
Thanks, Douglas, I already did that but didn't find anything related to Registry LastWrite Times.
Anything is possible when Administrator privileges are involved.
Awesome reply!
Well it seems like if there was enough testing (and admin priv!) you could somehow.
Last Access is possible via
fsutil behavior set disablelastaccess 1
Or gpedit and/or .msc stuff
Quick Google stumbled on this thread that has some stuff on MFT and API calls.
http//
Doug,
Great job pointing out the finding, but disabling updating of last access times on files has nothing to do with modifying LastWrite times on Registry keys.
skelm,
No, I haven't had any update on that. LastWrite times can be modified, albeit not directly. The GetFileTime/SetFileTime APIs allow anyone with write access to a file to modify file times ($STANDARD_INFORMATION attributes), but I still haven't found any similar APIs for Reg key LastWrite times.
To modify a key LastWrite time, all that a user needs to do is add, delete, or modify something (value or subkey) within the key.
Perhaps if you could provide some context to this issue, there might be some way to provide a more direct answer.