Forums
Main Category
General (Technical,...
LastWrite time in t...
 
Notifications
Clear all

LastWrite time in the registry

 
Page 2 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by keydet89 16 years ago
17 Posts
8 Users
0 Reactions
2,128 Views
RSS
 skelm
(@skelm)
Active Member
Joined: 17 years ago
Posts: 6
07/07/2010 1:27 pm  

Harlan,

thanks for the feedback.

Perhaps if you could provide some context to this issue, there might be some way to provide a more direct answer.

No context in particular. I was just discussing with a few colleagues the very possibility of malware directly tampering with the LastWrite timestamps.

Cheers,
Stefan.



   
ReplyQuote
 j2222
(@j2222)
Eminent Member
Joined: 21 years ago
Posts: 36
08/07/2010 11:01 pm  

How about changing the clock, then updating the key and then correcting the clock … in code it would take a second or so, you might not spot it in log files or similar …. )

Regards,
James



   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 16 years ago
Posts: 376
12/07/2010 7:14 pm  

How about changing the clock, then updating the key and then correcting the clock … in code it would take a second or so, you might not spot it in log files or similar …. )

Regards,
James

Like mentioned earlier in the thread It works, it just requires Administrator privileges to change the system time.

Most parts of the registry are wide open and the HKCU hive can be used to set values locally for one user so they may not even have to go into the HKLM hive (unless a value is set there, in which case the whole thing is moot since HKLM takes precedence).

Updating something, even if it takes a second would be written to a log file. The actual speed in which something is performed is irrelevant since all calls to the API trigger logging. However, specifically the changing of system time does not generate one single event in any .log, .txt or Eventlog entry, at least on Win XP systems.

It is safe to assume that the lack of logging of such API calls are backwards compatible.



   
ReplyQuote
 Patrick4n6
(@patrick4n6)
Honorable Member
Joined: 17 years ago
Posts: 650
12/07/2010 8:58 pm  

the changing of system time does not generate one single event in any .log, .txt or Eventlog entry, at least on Win XP systems.

It does in Vista/Win7.



   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 22 years ago
Posts: 3568
12/07/2010 9:13 pm  

…and it can also generate an Event Log entry in XP, as well.

Depending on how the system time is changed, there may also be other traces, as well. Perhaps not explicitly generated to a log file, but recorded via artifacts nonetheless.



   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 16 years ago
Posts: 376
12/07/2010 11:52 pm  

Changing the system time as administrator in XP (SP2) with default settings does not generate an eventlog entry, i tried it earlier before my previous post.



   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 22 years ago
Posts: 3568
13/07/2010 12:11 am  

Like I said…"can"…depends on what auditing is enabled
http//www.stevebunting.org/udpd4n6/forensics/timechange.htm

I just verified this…



   
ReplyQuote
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: