Is posible to know if someone has changed the default printer for an user using the registry, I mean, who and when(time)? What keys do yo have to look for and how to view these changes?
Is posible to know if someone has changed the default printer for an user using the registry, I mean, who and when(time)? What keys do yo have to look for and how to view these changes?
Where
http//
http//
When
Check the date/time of the LastWrite.
Who
no way (that I know of) to know for sure.
How
It depends if it is an online or an offline system/registry.
However
http//www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
jaclaz
…I mean, who and when(time)? …
Possibly, depending upon the version of Windows you're analyzing. I'd create a timeline of system activity, and focus on determining the user account that had accessed the system during the time that the key was changed. This won't give you the "who", as much as which user account was used, but it's a start.
I'd create a timeline of system activity, and focus on determining the user account that had accessed the system during the time that the key was changed. This won't give you the "who", as much as which user account was used, but it's a start.
Well, yes, but strictly speaking no. 😯
That will tell you which user was logged in at the time the key was changed, but not necessarily which user changed the key at that time.
Let's say that I set an AT or SCHTASK scheduled task, just as an example. roll
jaclaz
Thanks you both.
Best Regards.
That will tell you which user was logged in at the time the key was changed, but not necessarily which user changed the key at that time.
Let's say that I set an AT or SCHTASK scheduled task, just as an example. roll
On Windows systems, there is enough detail in data recorded in the Registry such that if someone logged in via the console, or remotely via RDP, and opened RegEdit, modified the key, and closed RegEdit, you would be able to determine which user account was used.
For Vista+ systems, there is enough detail in logging that if someone on created a Scheduled Task, even remotely, you'd still be able to determine the user account used.
Without a video camera or witness to observe the actions, you won't be able to tell who did it, but you can still determine when and which user account was used.