Hi guys, i am attempting to find evidence of winspy in the registry, does anyone know of keys that i will find this in? preferably keys specifically used by winspy?
This is proving tricky, but i continue to research.
Thanks
Sorry I don´t know any registry keys of winspy, but best way to find it out is to use InCtrl5 as mentioned in Harlan´s book.
Thankyou, what an excellent program D
OK the Inctrl5 report changes in the following key when i install the program on my own system
HKEY_CLASSES_ROOT\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib "(Default)"
Old type REG_SZ
New type REG_SZ
Old data {86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}
New data {831FDD16-0C5C-11D2-A9FC-0000F8754DA1}
but when i'm in FTK and want to view this key in registry viewer how do i do it? it doesn't seem to have the same name as this and i can't see "interface" anywhere.
This is frustrating now..
Any ideas?
Thanks
Using SysAnalyzer from iDEFENSE the follow changes appeared directly after the install.
Processes
PID ParentPID User Path
————————————————–
648 412 MLTEMPLATEESG C\WINDOWS\rsmpls.exe
672 412 MLTEMPLATEESG C\WINDOWS\System32\CSpool\lass.exe
1284 672 MLTEMPLATEESG C\WINDOWS\msmsgrs.exe
Ports
Port PID Type Path
————————————————–
1041 672 TCP C\WINDOWS\System32\CSpool\lass.exe
1039 672 UDP C\WINDOWS\System32\CSpool\lass.exe
Monitored RegKeys
Registry Key Value
————————————————–
HKLM\Software\Microsoft\Windows\CurrentVersion\Run PrintSpooler=C\WINDOWS\System32\CSpool\lass.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run =
This is after you install winspy?
I searched for some of those files in some of those folders and can't find them.
This is after you install winspy?
When I did a Google search for winspy - I used the one from win-spy.com. If this is not the one you are testing. Please provide the URL