Hello,
I have another doubt, this is about security of Windows registry. If someone changes the security for a registry key (for example deny for a user), is possible to track this change and know who did it? Is there any clue in the registry?
Best Regards and thanks in advance again.
If someone changes the security for a registry key (for example deny for a user), is possible to track this change and know who did it? Is there any clue in the registry?
In the Registry? No. However, it's possible to determine this through the creation and analysis of a timeline that includes, but is not limited to, Registry data.
Hi,
Yes you can track the change in the registry. As the software is installed on the system,its entry is maintained in the registry for the proper functioning of the system. Unusual change in the registry can result in corruption of programs and system as well. So,I suggest you to use one of the following tools to track the changes in the registry.
1)Regshot
2)InstalWatch Pro
3)SpyMe tools
4)InCtrl5
5)Install Spy5
6)SysTrace
7)WhatChanged
8)TrackWinstall
These tools are renowned tool among forensic experts.
But you can not track who changed the registry setting, without the authorized or unauthorized access in to the system.
————
Thanks and Regards
If someone changes the security for a registry key (for example deny for a user), is possible to track this change and know who did it? Is there any clue in the registry?
It is technically possible, but it won't happen automatically.
All (?) registry keys are protected by access control lists, which behave much like those for files. System Access Control Lists allows the system to trace access to the protected resource – you can force what I call a log entry (but Microsoft prefers to call audit record) on failed access, on successful access, on read, on write … etc.
That's the mechanism – it is already in place, but you have to deploy it. As far as I know, there's no default logging enabled (but I haven't checked this in detail since Windows 7 SP 0). That is, on a 'foreign' computer, you have to use indirect traces, or analyze registry for SACL entries that could be used to produce log entries.. If you're doing 'forensic readiness preparation', it's a very useful tool.
There's lot of additional info to be found on the Microsoft web sites – MSDN and Technet are my personal favourites. It's also covered by Windows sysadmin courses, and at least one book on registry workings (Jerry Honeycutt Microsoft Windows Registry Guide, 2 ed.), which also provides a list of default permissions for … I suspect it must be Windows XP. (That is, it's possible to create a 'registry access footprint', which can be useful for anomaly detection. Finding a SAM that lists other users than SYSTEM in its ACL is an … interesting anomaly to find, for example.) That kind of access analysis is as useful for registry as it is for file systems you can't change a registry key/value if you don't have write access to it …
It's rare to see registry ACLs mentioned in books on Windows forensics, though.
So,I suggest you to use one of the following tools to track the changes in the registry. …
Have you actually checked and verified that those tools do detect/record changes in PERMISSIONS on a Registry key?
@keydet
Is there a specific field for date/time of change of a permission?
Or one would rely on modification date/time LastWriteTime?
@pimp
JFYI, the Registry is almost (actually EXACTLY) like a filesystem, with - unsurprisingly - a number of similarities with the NTFS filesystem
http//
jaclaz