Wednesday, March 12, 2008

Finding Traces of Executables in the Registry

I found a registry key that is really quite interesting and I can see how it might come in handy when looking at a system that may have been compromised.

By following the procedure detailed below I was able to quickly find all programs or executables that have been installed or executed on a system by the logged in user.

These values are stored in clear text and are very simple to retrieve.


Tools

  • Reg (windows XP native command)
  • excel or any other spreadsheet

Steps

1. Im using a Windows XP SP2 system here. From a DOS prompt I execute the following command:

reg query HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE > outputfile.txt
The results are ouyput to a file called output.txt and stored inthe current directory.


2. Import into the file into excel and using auto filters Filter out all lines begining with @. You are left with a list of programs that have at some stage been installed and used.



As can be seen from the output there are several files listed that are just executables and have no installer. BAT files are also listed if they have been run. Also listed is the location from which the executable was run.




If you are interested in other ways to get the most of the registry I totally recommend Harlan Carvey's book "Windows Forensics and Incident Recovery ".

After writing this entry I found from Harlan thaty he had previously blogged on this registry key. In his blog Harlan goes into great detail about this. I link to his post here.



1 comment:

Keydet89 said...

Instead of "Windows Forensics and Incident Recovery", I would recommend the more recent "Windows Forensic Analysis".