|
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager Eoptions String
Description:
Yahoos Encrypted password
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager Save Password
Description:
Details on if the password is saved yes/no
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager Yahoo User ID
Description:
Yahoo's last logged user
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\FileTransfer
Description:
Number of file transfers
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\IMVironments
Description:
Yahoo's environment uses
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\Profiles\Screen_name
Description:
Registed screen names/identities used in Yahoo
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\Profiles\screen_name\All Identities Selected Identities
Description:
Other user identities
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\Profiles\Screen_name\Archive
Description:
Message archive settings
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\Profiles\screen_name\Chat
Description:
Visited and/or created Chat Rooms
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\profiles\screen_name\FileTransfer
Description:
File transfer settings
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Pager\Profiles\Screen_name\IMVironments
Description:
Yahoo environment settings
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Profiles\Screen_name\IMVironments\Recent
Description:
Recent contacts and IMV used
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Yahoo\Yserver
Description:
File transfer settings used
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Description:
List of entries typed into Start/Run box
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\ControlSet001\Control\TimeZoneInformation\StandardName
Description:
Time zone setting
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\ControlSet002\Control\TimeZoneInformation\StandardName
Description:
Time zone setting
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Description:
List of programs run at system start
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\anysubkey\
Description:
List of programs run at system start
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CurrentControlSet\Control\Session Manager\BootExecute
Description:
List of applications that run at start up
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CurrentControlSet\Control\Session Manager\KnownDLLs
Description:
List of DLLS loaded at system start
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
Description:
IP addresses of connected computers
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Description:
List of Mapped Drives
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\Controlset###\Control\ComputerName\ComputerName
Description:
Computer name
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\Select
Description:
Lists current control set
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\Select\Current
Description:
System configuration settings
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\ControlSetXXX\Services\DMIO\BootInfo\PrimaryDiskGroup
Description:
Lists the most recent dynamic disk mounted
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\ControlSetXXX\Services\Eventlog
Description:
Path to the location of event logs
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\Microsoft\WindowsNT\CurrentVersion
Description:
Date operating system was installed
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\Microsoft\WindowsNT\CurrentVersion\Winlogon
Description:
Last logged on user
..................................................................................................................................................
Registry Location:
SOFTWARE
Key Location:
\MicrosoftWindowsNT\CurrentVersion
Description:
Installation date of operating system
..................................................................................................................................................
Registry Location:
SOFTWARE
Key Location:
\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
Description:
Banner / boot message
..................................................................................................................................................
Registry Location:
SOFTWARE
Key Location:
\Microsoft\WindowsNT\CurrentVersion\Winlogon
Description:
Last logged on user
..................................................................................................................................................
Registry Location:
SOFTWARE
Key Location:
\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
Description:
Legal captions used
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\CurrentVersion\Applets\Paint\Recent File List
Description:
Files accessed with Paint program
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\CurrentVersion\Applets\WordPad\Recent File List
Description:
Files accessed with WordPad
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\MediaPlayer\Player\RecentFileList
Description:
Most Recently Used Files accessed with Media Player
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Description:
Most Recently Used List of programs last accessed
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Nico Mak Computing\WinZip\filemenu
Description:
Most Recently Used Winzip archives
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
Description:
List of programs that run after designated event
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MessengerService\ FtReceiveFolder
Description:
Location of Received Files
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MessengerService\ListCache\.NET Messenger Service
Description:
Contact, allow, block, reverse entry information
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MessengerService\ListCache\.NET Messenger Service Identity Name
Description:
Last logged in user Screen Name
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\ProtectedSystemProvider\SID\Identification\INETCOMM Server Passwords
Description:
Outlook/Express account passwords
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\Office\version\Outlook\Security
Description:
Location of stored attachments
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
Description:
Installed network cards
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Miccrosoft\MSNMessenger\ FTReceive Folder
Description:
Location of received files
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsof\MessengerService ContactListPath
Description:
Location of saved Contact List (.ctt)
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MSNMessenger\FileSharing Autoshare
Description:
Sharing on/off
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MSNMessenger\PerPassportSettings\MessageLog Path
Description:
Locatin of message history files
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MSNMessenger\PerPassportSettings\MessageLoggingEnabled
Description:
Messaging logging on/off
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MessengerService\ListCache\>NET\MessengerService
Description:
IM groups, contacts, file transfer information
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MSNMessenger\FilesSharing-Autoshare
Description:
File sharing on/off
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MSNMessenger\FTReceiveFolder
Description:
Received files locations
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\MessengerService\ContactListPath
Description:
Location of saved Contact List (.ctt)
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
Description:
Last access times update on/off
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
Description:
List of programs run upon user login
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Description:
List of files accessed through Explorer dialog boxes
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Internet Explorer\TypedURLs
Description:
Typed URLS
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\InternetExplorer\main
Description:
IE settings
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\InternetExplorer\TypedURLS
Description:
Data entered into URL address bar (typed or pasted)
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\ProtectedStorageSystemProvider\SID\InternetExplorer\Internet Explorer StringIndex
Description:
IE search terms (w/Date time stamp)
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\ProtectedStorageSystemProvider\SID\InternetExplorer\Internet Explorer StringIndex
Description:
Data entered into forms with IE
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\ProtectedStorageSystemProvider\SID\InternetExplorer\Internet Explorer URL String Data
Description:
IE passwords and login ID's (w/Date time stamp)
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Url History Days to keep
Description:
Number of days the system stores URLS visited with IE
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\InternetExplorer\Intelliforms
Description:
Web page autocomplete passwords
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\ProtectedStorageSystemProvider
Description:
Web page autocomplete used
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Microsoft\InternetExplorer
Description:
Download default directory
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Mirabilis\ICQ\
Description:
Lists IM contacts
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Mirabilis\ICQ\Owners Last Owner
Description:
Last logged in user
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Mirabilis\ICQ\owners\UIN Name
Description:
User nickname
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Mirabilis\ICQ\Owners\UNI
Description:
User folder named by UIN
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Printers\Settings\Wizard\ConnectMRU
Description:
Print server most recently used
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CCS\Enum\USBStor
Description:
USB installation
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Control\Network
Description:
Network connections
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\HARDWARE\DESCRIPTION\System\CentralProcessor\1
Description:
System device information
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\HARDWARE\DESCRIPTION\System\FloatingPointProcessor
Description:
System device information
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\HARDWARE\DEVICEMAP\Scsi
Description:
System device information
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
Description:
Installed network cards
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Control\Network
Description:
Network connections
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Services\Tcpip
Description:
TCP/IP configuation
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Description:
Recent documents
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Americaonline\AOLinstantmessenger\CurrentVersion\LoginScreen_name
Description:
Last logged in user
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Americaonline\AOLinstantmessenger\CurrentVersion\Users
Description:
Registed AIM users
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Americaonline\AOLinstantmessenger\CurrentVersion\Users\Screen_name\DirEntry
Description:
User profile information
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Americaonline\AOLinstantmessenger\CurrentVersion\Users\Screen_name\Xfer
Description:
File transfer settings
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Americaonline\AOLinstantmessenger\CurrentVersion\Users\username\ConfigTransport
Description:
Buddy list (.blt file) directory path
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Americaonline\AOLinstantmessenger\CurrentVersion\users\username\recent IM Screen_names
Description:
Recent buddy contacts
..................................................................................................................................................
Registry Location:
NTUSER.DAT
Key Location:
\Software\Americaonline\Instantmessenger\CurrentVersion\Users\Screen_name\Iamgonelie
Description:
Default and customized away messages
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVistitMRU
Description:
Last visited most recently used
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Map\NetworkDriveMRU
Description:
Mapped network drive
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Description:
Open saved most recently used
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Description:
Recent documents most recently used
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Description:
Windows programs uninstall location
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\Explore\NoDriveTypeAutoRun
Description:
Designates which drives will parse autorun.inf files located in the root of the drive
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\Explore\NoDriveTypeAutoRun
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
Description:
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
Description:
If set to 1, updating of last access times is disabled.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CurrentControlSet\Control\Session Manager\KnownDLLs
Description:
Contains a list of DLLs to be loaded at system start
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAuotExec
Description:
By default, Windows 2K+ systems do not parse the autoexec.bat file. Set this Registry entry to "1" to enable parsing of the file.
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\ControlSet001\Control\TimeZoneInformation
Description:
Handles the systems timezone
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\ControlSet001\Control\Windows
Description:
Holds the last shutdown time in 64 bit little endian
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\MountedDevices
Description:
Contains a list of mounted devices
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
\ControlSet001\Enum\USBSTOR
Description:
Contains a list of mounted usb storage devices setupapi.log file.
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Description:
Contains version & registration information for windows
..................................................................................................................................................
Registry Location:
SYSTEM
Key Location:
System\ControlSetX\Enum\IDE
Description:
Gives information on various IDE drives (CD, hard drives), what the model was and what order it was installed on the system - UINumber:
Specifies a number associated with the device that can be displayed in
the user interface.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Description:
Controls whether the system clears the cache file at shutdown
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
E\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Description:
E\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Services\Atapi\Parameters
Description:
Controls whether 48 bit LBA is enabled
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
E\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\KeepRasConnections
Description:
Controls whether remote connections are maintained instead of disconnected when a user logs off a workstation
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\MediaPlayer\Preferences\AddToMRU
Description:
If set to 00, files viewed in media player won't get added to the MRU
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds
Description:
This setting controls the storage of authentication credentials and .NET passwords on the local system. By disabling this feature, passwords will not be stored.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Office\9.0\Common\General\NoTrack
Description:
If this option is set to 1, windows will not track the amount of time a user holds a document open for editing
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Office\[office version]\Outlook\PST\PSTNullFreeOnClose
Description:
If this option is set to 1, outlook 200 & 2002 will permanently erase any deleted information from the PST file by compacting null records
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\WAB\WAB4\Wab File Name
Description:
This key contains the location of the Windows Address Book (WAB) used with outlook express
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
%SYSTEMROOT%\Prefetch
Description:
On XP, handles boot and application launch prefetching. Prefetch files for application launch contain information regarding path to executeable, etc. Layout.ini file contains a list files used by system defrag utility. On 2K3, only boot prefetching is done, by default.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
%USERPROFILE%\Start Menu\Programs\Startup
Description:
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
%WINDIR%\Tasks
Description:
Contains files specifying scheduled tasks, submitted via at.exe or Scheduled Tasks Wizard. .job files in this directory with the hidden bit set will not appear in the Scheduled Tasks applet in the Control Panel.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
Description:
Contains information regarding whether EFS is enabled
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Description:
List of file types by extension detailing which application is responsible for opening files using that specific extension
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\CurrentVersion\Applets\Paint\Recent File List
Description:
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\CurrentVersion\Applets\RegEdit
Description:
The LastKey value maintains the last key accessed using RegEdit
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\CurrentVersion\Applets\RegEdit\Favorites
Description:
Maintains a list of favorites added through Favorites menu item in RegEdit
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\CurrentVersion\Applets\WordPad\Recent File List
Description:
List of files accessed/saved in WordPad
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Search Assistant\ACMru
Description:
Maintains a list of items searched for via Start->Search; the subkeys (5001, 5603, 5604, etc.) correspond to the textfields where the user enters search parameters.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Internet Explorer\TypedURLs
Description:
Maintains a list of URLs typed into the IE Address bar
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Description:
Maintains a list of items recently accessed
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Description:
Maintains a list of programs accessed, and their locations within the file system. Sort via the MRUList.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Description:
Maintains a list of files that are opened or saved via Windows Explorer-style dialog boxes
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Description:
Maintains a list of video streams opened by media applications
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Description:
Maintains a list of entries typed into the Start->Run box
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
Description:
Maintains a list of entries typed into the 'Find Files' search box
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
Description:
Maintains a list of entries for computers searched for via Windows Explorer
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Description:
There are two GUID subkeys beneath this key. Beneath each of these keys is the Count subkey, which contains a list of ROT-13 'encrypted' values. The CLSID beginning with 5E6 pertains to the IE Toolbar; the CLSID beginning with 750 corresponds to Active Desktop
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Description:
Maintains a list of drive mapped via the Map Network Drive Wizard.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
Description:
Values beneath this key are names or IP addresses of machines connected to.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Description:
Subkeys that start with "#" are paths to drives that have been mounted; includes the use of the "net use" command. BaseClass value will usually be "Drive".
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
Description:
Each GUID subkey includes a Data value. This value is a volume identifier.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\MediaPlayer\Player\RecentFileList
Description:
List of files (movies - .mpg, etc.) accessed via Media Player
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\MediaPlayer\Player\RecentURLList
Description:
List of URLs accessed via Media Player
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Office\{version}\Common\Open Find\{product}\Settings\Open\File Name MRU
Description:
Value is Reg_Multi_SZ containing a list of file names
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Office\{version}\Common\Open Find\{product}\Settings\Save As\File Name MRU
Description:
Value is Reg_Multi_SZ containing a list of file names
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Nico Mak Computing\WinZip\filemenu
Description:
List of recently used WinZip archives
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Description:
List of recently opened files
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Description:
List of commands entered in run dialogue box
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Internet Explorer\ExplorerBars\\ContainingTextMRU
Description:
List of text entered into Internet Explorer Bars
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Internet Explorer\IntelliForms\SPW
Description:
List of passwords entered into Internet Explorer
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
HKCU\Software\Microsoft\Protected Storage System Provider\{SID}\Internet Explorer\Internet Explorer
Description:
HKCU\Software\Microsoft\Protected Storage System Provider\{SID}\Internet Explorer\Internet Explorer
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Description:
List of files opened or saved via explorer style dialogue boxes, with separate keys for specific file types
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
R\Software\Microsoft\Internet Explorer\Download Directory
Description:
Location of the last used directory to save a downloaded file
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Terminal Server Client\Default
Description:
MRU list containing entries corresponding to terminal servers connected to by user
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Description:
MRU list containing entries that detail last visited locations in Windows Explorer
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Description:
Lists programs to be run when system starts.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\any�subkey\
Description:
Lists programs to be run when system starts.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Run\
Description:
Lists programs to be run when system starts. On 2K and XP, these entries are ignored when booted to Safe Mode; however, entries preceded by "*" will be processed even when booted to Safe Mode. On XP, these 'Run' keys are referred to as the 'legacy Run list', as they are provided for backwards compatibility with previous versions of Windows.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Run\any subkey\
Description:
Andy Aronoff, owner of SilentRunners.org, says that the contents of any subkey will be launched. At this point, I haven't tested it.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Run\
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Description:
Lists programs to be run once when the system starts, and deleted. The commands listed here are deleted before the actual commands are run. If the command is preceded by "!", the command is deleted after the command is run.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\RunOnce\any subkey\
Description:
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser�Helper�Objects\
Description:
Browser Helper Objects (BHOs) are in-process COM components loaded each time Internet Explorer starts up. These components run in the same memory context as the browser. with Active Desktop, Windows Explorer will also support BHOs.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
Description:
Entries in this key are automatically loaded by Explorer.exe when Windows starts.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Classes\exefile\shell\open\command\
Description:
The Default setting for these entries is '"%1" %*'. Some malware will add entries to have other things run. Also, may need to examine other file types under the Classes key, as well (ie, any file classes that point to an app, with a .exe extension). These entires map to HKCR\{ext}file\shell\open\command. Other entries under the HKLM\Software\Classes (and HKCR) key are succeptible to this same sort of subversion. For example, navigate via RegEdit to the HKCR\Drive\shell\cmd\command key, right-click on the "Default" value, and choose Modify. In the textfield, add "&& notepad.exe", and click OK. Open My Computer, select a drive, right-click and choose "Open Command Prompt here..."...both cmd.exe and notepad.exe will run.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Command�Processor\AutoRun
Description:
Commands listed here are executed before all other options listed at the command line; disabled by /d switch; REG_SZ data type.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Command�Processor\AutoRun
Description:
Commands listed here are executed before all other options listed at the command line; disabled by /d switch; REG_SZ data type.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Control Panel\Desktop\SCRNSAVE.EXE
Description:
Designates the user's screen saver, which is launched based on parameters set through the Control Panel.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
Description:
Points to the InProcServer for a CLSID; The values found in this key can be mapped to HKLM\Software\Classes\CLSID\{GUID}\InProcServer; Items listed here are loaded by Explorer when Windows starts; Used by malware
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
Description:
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Description:
Replaces the use of the "load=" line in Win.ini
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
Description:
Replaces the use of the "load=" line in Win.ini
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Policies\Microsoft\Windows\System\Scripts\
Description:
Points to scripts for various events (ie, logon, logoff, shutdown, etc.); Usually handled via GPOs, but can also be configured via local security policies
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Policies\Microsoft\Windows\System\Scripts
Description:
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
Description:
Can specify an alternate user shell
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
Description:
Contains a list of approved shell extensions.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Description:
DLLs specified within this key are loaded whenever a Windows-based (GUI) application is launched.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
Description:
This entry can be subverted to load an alternate GINA, capable of capturing the user's login information in plain text (ie, FakeGINA.DLL from NTSecurity.nu). This is loaded and used by WinLogon.exe.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Description:
Indicates executable files launched by Userinit.exe and expected at user shell startup.
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
Description:
Indicates programs to be executed in System mode.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
Description:
Specifies the Task Manager to be used by Windows. The default is TaskMan.exe, but the SysInternals.com tool, Process Explorer, can replace this value.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
Description:
Lists programs to be automatically run when the user logs in. Userinit.exe is responsible for shell execution. Nddeagnt.exe is responsible for NetDDE. Multiple programs may be listed.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
Description:
Specifies programs to be run when certain system events (ie, logon, logoff, startup, shutdown, startscreensaver, stopscreensaver) occur. The event is generated by Winlogon.exe, at which point the system will look for a DLL within this key to handle the event.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CurrentControlSet\Control\Session Manager\BootExecute
Description:
Specifies the applications, services, and commands executed during startup.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CurrentControlSet\Services
Description:
Subkeys list services to be executed, most of which are run as LocalSystem. The Hacker Defender rootkit installs as a service.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Active Setup\Installed Components\
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup
Description:
Designates location of Startup folders; ie, Autostart directory
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup
Description:
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\App Paths
Description:
Each subkey contains the path to the specific application; paths and the actual executables should be verified, as legitimate apps may be set in other autostart locations, and the linked-to application subverted or trojaned.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Description:
This Registry location is used to designate a debugger for an application. Testing shows that it's an excellent redirection facility. For example, adding notepad.exe as a key, and then adding a "Debugger" value of cmd.exe will cause the command prompt to be opened whenever Notepad is launched. File binding utilities will allow an attacker to bind a backdoor to a legitimate program, and then redirect that legit program to the Trojaned one.
..................................................................................................................................................
Triage LHF module reports on this key
|
