Home About Us Sign Up Downloads FAQ Contact Us
 
Registry Hives

..................................................................................................................................................

The following registry keys are extracted and reported on by OnScene LHF. Many of these registry keys are a source of  valuable evidence during computer forensic investigations.

OnScene LHF will allow you to add your own registry keys. This can be useful for software licensing audits.

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\RunOnce\any subkey\

Description:

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Software\Microsoft\Windows\CurrentVersion\RunOnce\

Description:

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

Description:

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser�Helper�Objects\

Description:

Browser Helper Objects (BHOs) are in-process COM components loaded each time Internet Explorer starts up. These components run in the same memory context as the browser. with Active Desktop, Windows Explorer will also support BHOs.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

Description:

Entries in this key are automatically loaded by Explorer.exe when Windows starts.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Classes\exefile\shell\open\command\

Description:

The Default setting for these entries is '"%1" %*'. Some malware will add entries to have other things run. Also, may need to examine other file types under the Classes key, as well (ie, any file classes that point to an app, with a .exe extension). These entires map to HKCR\{ext}file\shell\open\command. Other entries under the HKLM\Software\Classes (and HKCR) key are succeptible to this same sort of subversion. For example, navigate via RegEdit to the HKCR\Drive\shell\cmd\command key, right-click on the "Default" value, and choose Modify. In the textfield, add "&& notepad.exe", and click OK. Open My Computer, select a drive, right-click and choose "Open Command Prompt here..."...both cmd.exe and notepad.exe will run.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Command�Processor\AutoRun

Description:

Commands listed here are executed before all other options listed at the command line; disabled by /d switch; REG_SZ data type.

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Software\Microsoft\Command�Processor\AutoRun

Description:

Commands listed here are executed before all other options listed at the command line; disabled by /d switch; REG_SZ data type.

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Control Panel\Desktop\SCRNSAVE.EXE

Description:

Designates the user's screen saver, which is launched based on parameters set through the Control Panel.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

Description:

Points to the InProcServer for a CLSID; The values found in this key can be mapped to HKLM\Software\Classes\CLSID\{GUID}\InProcServer; Items listed here are loaded by Explorer when Windows starts; Used by malware

..................................................................................................................................................

Triage LHF module reports on this key

194 Registry Hives: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20    [ view all ]

Computer Forensics Experts

Creating an Image with OSI

Previewing PST Files

On Scene Computer Forensics

Copy with MD5 report

Windows Recycle Bin

Computer Forensics For Apple Mac

Viewing the Internet Cache

Registry Hives

Using OnScene Investigator

Using Registry LHF

Down Data Sheet

Uses for OnScene Investigator

Project Roadmap



Find a Reseller

Become a Reseller


Training Certification


 
 
 
Home I Site Map I About Us I Help I Terms & Conditions
Copyright 2007 www.forensicsmatter.com All Rights Reserved.