Daily Blog #499: Solution Saturday 10/6/18 - Winning Answer for Changes to Registry Keys Challenge

Winning Answer for Changes to Registry Keys Challenge by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,

     This week Kevin Pagano grabbed the win with a nice primer on registry monitoring. I m looking forward to testing more registry monitoring tools next week and trying out Maxim Suhanov's suggestion of waiting 30 seconds for transactions to be written.

The Challenge:
How would you monitor/record changes to registry keys? What could you do to get more data?

Winning answer:
There are few monitor tools that can record changes in the registry.

Nirsoft specifically has 2 different options that could be helpful:
RegistryChangesView - allows you to take snapshots of the registry at different points in time and compares two versions and export the changes as needed
RegFromApp - this one monitors the registry for changes made by specific applications

Regshot and WhatChanged are two other tools that are similar to RegistryChangesView in that it can show changes in two snapshots of the registry at different times.

Process Monitor (ProcMon) will give you real time feedback of activities in various locations but also the registry.

Registry Auditing can be turned on as such so changes will show in Event Logs:
1. Run the following command from Command Prompt:
auditpol /set /subcategory:"Registry" /success:enable
Note: if the OS has a different language pack, the name “Registry” might differ. For instance, on a German Windows, the name is “Registrierung”. To see what the name of the subcategory is you can run:
auditpol /list /subcategory:*
2. Open Registry Editor and navigate to the key which we want to audit (HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word)
3. Right-click on the key and choose “Permissions…”
4. Click “Advanced” and switch to the Auditing tab
5. Add a user or group and select Access: Set Value
6. Apply settings
Via Microsoft

RegistryExplorer from Eric Zimmerman can be used to possibly show deleted registry keys and recover them as needed as well as interpret the registry transaction LOG files.

Also Read: Daily Blog #498

Post a Comment