Hi guys. I know there are a lot of references to Registry Analysis procedures, not only in this forum but also in the Internet. However, and even after consulting Harlan's book, I haven't been able to find a reference to what it is contained in this location (under SW in NTUSER)
CurrentVersion\Explorer\Streams\95
I have found filenames of high relevance in this location, but I don't know what this means… have these files ever been present on the hard drive, were they accessed over the LAN…?? I don't know. If anyone has any good reference for this location I'd be very grateful.
CurrentVersion\Explorer\Streams\
Is the entry that controls window pane dimensions, columns and widths. So if you are a developer and want a window to open in a certain size, that is where it is controlled.
For example My Computer is controlled by 22, My Documents is controlled by 2, Control Panel is controlled by 105. I do not know what 95 controls.
I did receive some documentation for parsing the data in these keys, but to be honest, I'm still trying to wrap my head around it.
Found the following
you will find that the numbers are not specific to the windows they control, but assigned as the windows were first opened. I believe the 'StreamMRU' key is the index which associates a number with a folder, so as long as you export/import 'StreamMRU' and 'Streams' as a air, you should be OK.
Actually, now that I go back and look at it, what I said was incorrect…
Within the Streams key, I see a number of subkeys, each of which has a "(Default)" and "ViewView2" value. I see nothing obviously useful in either value.
Withing the StreamsMRU key, I see several values that correspond to the Streams subkeys, and I do see both DOS short names and full-length names listed.
Thank you guys.
Could I affirm then that the file list I am watching has been present on an Explorer Windows?
I say it is a file list because I can see both the short and the long name nomenclature. However, I'm not able to "translate" other file properties (I see for example typical structures for DOS Date/Times) since the records are not equally sized.
The file system used is NTFS, so it shouldn't be a Directory Entry (and I cannot find "2E 2E", so I think I'm right), an it is not a MFT Entry either since they are not equally sized. Does anyone know what can I be looking at?
I'll reproduce an example bot in ANSI and in HEX for two files and a Directory in case it can give more clues
Directory
Hex
SS SS SS SS SS SS 31 00 00 36 00 03 00 04 00 EF BE 42 39 60 B5 30 3A 00 B8 14 00 00 00 LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL 00 00 00 18 00 02 00 00 00 02 00 00 00 3A 00 31 00 00 00 00 00 59 32 18 4E 10 00
Text
SSSSSSSS··6·····ï¾B9`µ0·¸····LLLLLLLLLLLLLLLLLLLLLLLLLLLLL··············1·····Y2·N··
Consecutive Files
Hex
SS SS SS SS SS SS SS SS SS SS SS SS 00 00 42 00 03 00 04 00 EF BE 93 39 A0 1D 93 39 00 B8 14 00 00 00 LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL 00 00 00 1C 00 B6 01 00 00 3A 00 00 00 68 00 32 00 00 AE 05 00 46 39 E4 76 20 00
SS SS SS SS SS SS SS SS SS SS SS SS 00 00 4C 00 03 00 04 00 EF BE 46 39 E4 76 7A 39 00 B8 14 00 00 00 LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL LL 00 00 00 1C 00 90 02 00 00 E2 00 00 00 BA 00 32 00 00 B2 0B 00 7A 39 5A 20 20 00
Text
SSSSSSSSSSSS··B·····ï¾9 ·9·¸····LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL·····¶······h·2··®··F9äv ·
SSSSSSSSSSSS··L·····ï¾F9ävz9·¸····LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL········â···º·2··²··z9Z ·
As you can deduce, I've replaced the letters of the Short Name with "S" and the letters of the Long Name with "L"
Thanks for your time!
… by the way, I've also found the same structure in […]\Windows\ShellNoRoam\Bags\124\Shell\ItemPos1280x1024.
As far as I know (please, correct me if I'm wrong), the keys under "Bags" store the specific visualization configuration for a folder, so I think I do can affirm these files were in the hard drive, can't I?
Regards.
Do you have the software Windows Registry Analyser (WRA). It does a good job of analysing and presenting the data in the UserAssist, StreamMRU, ShellBags and ProgramsCache.
The ShellBags is normally a good indicator that the user has resized the window\browser they have had open and that the filenames were the content at that time.
Thank you!
I had never used that tool (its current name is Windows Registry Recovery in http//