Tuesday, July 17, 2018

Daily Blog #424: The registry key so nice they named it twice, computername computername

Hello Reader,
               I enjoy teaching forensics as students always ask questions to make you figure out things you just take for granted. A good example of this was last month while in Amsterdam I had a student ask, hey why is the computername registry key in the System registry (located under System\\Control\ComputernName\CompuerName) under a registry key named computername. 

I've always made jokes about this key, see post title above, but never really took the time to understand why it was setup this way. A couple of google searches and some in class testing later I had my answer.

It turns out that when you change the name of your Windows computer in the control panel that a new key is added to the base computername key. This new key called ActiveComputerName contains the old name of the computer prior to you changing it while the new name you have given the computer is now stored in the ComputerName key.

Here is the ComputerName key after renaming the computer

Here is the old name of the computer, located in the ActiveComputerName key

Here is the new name of the computer in the ComputerName key

On reboot the activecomputername key is deleted and the new ComputerName key is kept.

So there you go, there is in fact a reason and a function for the duplication in the computername registry key. Every key, every decision has a story and understanding how it works and why will only make you a better examiner.