The uppercased hell

October 15, 2021October 17, 2021 ~ msuhanov ~ 1 Comment

Recently, Microsoft warned users about compatibility issues with applications using some non-ASCII characters in names of their registry keys. According to Microsoft:

Compatibility issues have been found between apps using some non-ASCII characters in their registry keys or subkeys and Windows 11. Affected apps might be unable to open and might cause other issues or errors in Windows, including the possibility of receiving an error with a blue screen. Important Affected registry keys with non-ASCII characters might not be able to be repaired.

Sounds interesting!

Before we start, here are some useful links:

Windows registry file format specification
Measured Boot and Malware Signatures: exploring two vulnerabilities found in the Windows loader
Playing with case-insensitive file names (a registry hive is similar to a file system)

Continue reading →

Exporting registry hives from a live system

October 3, 2020October 3, 2020 ~ msuhanov ~ 2 Comments

When triaging a live system or performing live forensic acquisition, we often need to copy registry hives from a disk. Currently, there are five common ways to do this:

execute the “reg save <hive> <file>” command;
call the RegSaveKeyEx/RegSaveKey routine from an acquisition tool;
copy a hive file from an existing shadow copy;
copy a hive file from a newly created shadow copy;
directly read a hive file from an NTFS volume.

Are there any pros and cons of each way?

Continue reading →

Containerized registry hives in Windows

August 15, 2020August 17, 2020 ~ msuhanov ~ Leave a comment

If you read my Windows registry file format specification, you might already know about layered keys. Today, let’s talk about them in more detail.

Some editions of Windows 10 are capable of running Windows containers using Docker. Each Docker container is based on an immutable image with all modified data stored in an overlay. When a Windows container is used, the system has to record modifications affecting both the file system and the registry.

In 2016, Microsoft implemented new functionality called layered keys to allow programs access a merged view of keys and values from two or more registry hives! Now, this functionality is utilized by Docker…

Continue reading “Containerized registry hives in Windows” →

What writes to the Syscache hive?

January 4, 2019 ~ msuhanov ~ 1 Comment

This is a reply to the Sunday Funday 12/30/18 challenge.

The following results represent an attempt to understand what Windows components write to the Syscache hive in a Windows Server 2008 R2 SP1 installation (64-bit; with updates installed as of January 3, 2019).

Continue reading “What writes to the Syscache hive?” →

The CIT database and the Syscache hive

December 2, 2018December 18, 2018 ~ msuhanov ~ 3 Comments

The purpose of this post is to record the recent findings related to artifacts of execution and artifacts of executables present in a system. No major details beyond what was posted on Twitter.

David Cowen began his public testing of Amcache artifacts found in Windows 10 operating systems in Forensic Lunch Test Kitchen 11/16/18 (be sure to watch newer videos on this topic).

During these tests, it was found that the Amcache hive may have artifacts for executables that weren’t executed at all. There were other interesting findings outlined in the videos, but I will not focus on them now.

Continue reading “The CIT database and the Syscache hive” →

Exploring intermediate states of a registry hive using transaction log files

November 19, 2018November 19, 2018 ~ msuhanov ~ Leave a comment

If you don’t know why transaction log files are important when dealing with registry hives from installations of Windows 8.1 & 10, please read this and this.

In this post, I will talk about an easy way to programmatically explore intermediate states of a registry hive using its transaction log files.

Continue reading “Exploring intermediate states of a registry hive using transaction log files” →

Tools that recover deleted registry data don’t do the same job

November 18, 2018November 18, 2018 ~ msuhanov ~ 1 Comment

A registry hive is very similar to a file system. In fact, there isn’t much difference between a file system and a registry hive except that the registry doesn’t follow usual file system naming rules.

Like a file system, a registry hive can contain deleted data, which is often recovered and used in digital forensics, incident response, and similar activities. But tools that recover such deleted data aren’t the same. And here is why.

Continue reading “Tools that recover deleted registry data don’t do the same job” →

Effects of running an offline AV scan

October 26, 2018 ~ msuhanov ~ Leave a comment

An offline antivirus (AV) scanner is used to scan and clean a computer while its usual operating system isn’t running. Such scanners are often launched from a bootable USB drive or from an optical disc. Some scanners include a component to scan and modify the inactive registry of a Windows operating system.

What happens to the registry when a user performs such a scan?

Continue reading “Effects of running an offline AV scan” →

Hiding data in the registry

October 7, 2018July 2, 2021 ~ msuhanov ~ Leave a comment

I hope that most malware hunters are aware of an old way to hide registry values using null bytes in their names.

Are there any other ways to hide something in the registry?

Continue reading “Hiding data in the registry” →