An offline antivirus (AV) scanner is used to scan and clean a computer while its usual operating system isn’t running. Such scanners are often launched from a bootable USB drive or from an optical disc. Some scanners include a component to scan and modify the inactive registry of a Windows operating system.
What happens to the registry when a user performs such a scan?
The following tests were conducted in July–August 2018. Results may change in the future.
The test environment was based on a Windows 10 installation in a virtual machine. An EICAR test file was downloaded to the C: drive and an autorun entry for this file was created in the registry: in particular, a value in the Run key of the Software hive was created. Then, the operating system was powered off using the hybrid shutdown feature. After this, an offline AV scanner was used to scan the environment.
Some offline AV scanners weren’t able to write to the file system, because it was mounted in the hibernated operating system (the hybrid shutdown feature involves hibernation): in this case, the operating system was launched again and then turned off completely (by initiating the reboot) to allow an offline AV scan to complete.
It was observed that some offline AV scanners don’t support the offline registry scan and the autorun entry was intact in such tests.
Offline AV scanners that do support the offline registry scan produced the following results:
- AVG Rescue CD*: the autorun entry is deleted during the scan, the deleted value can be recovered, but the deleted value data can’t be linked back to that recovered value (the data offset in the corresponding registry structure is unset).
- Dr.Web LiveDisk**: the autorun entry is deleted during the scan, the deleted value can’t be recovered (the whole modified hive file is rebuilt without deleted data).
- Kaspersky Rescue Disk*: the autorun entry is deleted during the scan, the deleted value is wiped with null bytes and can’t be recovered (see the screenshot below).
- Windows Defender Offline***: the autorun entry is deleted during the scan, the deleted value can’t be recovered (this test was repeated with the same result: the Software hive is rebuilt without deleted data). A similar test against this product was conducted with an autorun entry created as a value in the Run key of the NTUSER.DAT hive; during this test, the deleted value can be recovered with its data (thus, the NTUSER.DAT hive isn’t rebuilt).
* – this product has its own registry engine;
** – this product uses the offline registry library (published by Microsoft);
*** – this product uses the offline registry library and API functions to mount an offline hive file into a running system.
It should be noted that Windows Defender Offline can perform a scan using two ways:
- In Windows 10: no external media are needed, the scan works by rebooting a computer into the Windows Defender’s environment.
- In Windows 8.1 & 7: a boot image is written to an external device, the scan works by booting a computer from this device. In this case, a boot image contains the following version of a Windows kernel: 6.1.7600; this version doesn’t support the new format of transaction log files used by the registry subsystem in Windows 8.1 & 10 (thus, some registry data may be lost during the scan if an operating system is hibernated).
Conclusion
In some cases, running an offline AV scan may explicitly destroy important pieces of evidence in the registry.
My DFIR Blog 