Monday, April 23, 2007

Registry Files in the Restore Point.

Your in the middle of an examination of an Windows XP machine and your wondering what some registry settings were during a specific time and you think to yourself, why don't I look in the System Restore Point. As you navigate to the restore point directory all of a sudden you see 20+ restore points and you think "Oh ????? (insert word here)". As you look at all the restore points you start to think how are you going to get all that information out and not take forever. You only want to look at 5 different registry keys over some time period that resides within those 20+ restore points. Don't despair I have a solution.

What I have done is taken Harlan Carvey's program and modified it to scan a directory and read the raw registry files and insert the entries into a SQLite database (of course). I then created a program to read the database and output registry keys in chronological order so you can see the dates and times of what the entries are along with the restore point they belong to in a comma separated file. For example here is a sample of the output looking at the following registry keys.

Registry File Name, Registry Key, Last Write Date Time, Registry Key Name, Data Type, Registry Value, Registry Value, File Location
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Wed Apr 18 20:55:01 2007,StartTime,2007/04/18-16:55:01, //-:U:,c:/mark/restore/RP603/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Tue Apr 17 23:29:36 2007,StartTime,2007/04/17-19:29:36, //-:):6,c:/mark/restore/RP602/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Mon Apr 16 22:57:56 2007,StartTime,2007/04/16-18:57:56, //-:W:V,c:/mark/restore/RP601/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Sat Apr 14 21:10:18 2007,StartTime,2007/04/13-13:41:27, //-:A:,c:/mark/restore/RP600/snapshot,

_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Sat Apr 14 21:10:18 2007,ExitTime,2007/04/13-12:22:04, //-:":,c:/mark/restore/RP600/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Mon Apr 16 22:57:56 2007,ExitTime,2007/04/16-16:05:08, //-::,c:/mark/restore/RP601/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Tue Apr 17 23:29:36 2007,ExitTime,2007/04/17-16:33:14, //-:3:,c:/mark/restore/RP602/snapshot,
_REGISTRY_MACHINE_SOFTWARE,\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher,Wed Apr 18 20:55:01 2007,ExitTime,2007/04/18-15:51:38, //-:Q:8,c:/mark/restore/RP603/snapshot,

Pretty cool.

Now for the gory details. The main program takes as input a directory (where you exported the restore point to) and a database file name that you want to create. It scans the directory recursively until it finds a file named _REGISTRY (the beginning name of all the registry files in the restore point) . It then opens that file and parses it and inserts the records into the database. As it inserts the records it will take anything with a record type of binary (with a length less then 2000 bytes) and convert it to ascii so it is potentially readable. The report program takes a database file name and output file name as parameters. It reads a txt file that specifies what registry entries will be outputted. I have also included a autoit gui front end for the command line averse folks. The gui front end end will ask for the restore point directory and database file name for reading the registry and the database file name and output directory for the report. You can specify a verbose mode which will tell you what files you are currently processing. There is one more option to choose on the gui and that is the file extension to run, I did this in case you want to run either the .pl (perl source) or the .exe (executable version of the perl source).

One small problem with the program is that reading the registry files is pretty slow. In my testing I had a total directory size of aprox 250M (only counting the registry file sizes) which included 4 restore points and it took about 20 minutes to parse all of them. I have looked at the program at most of the time is in reading the registry files themselves not inserting into the database. The report runs pretty quickly though. One thing to note I felt it was quicker to get everything versus looking for what I want since what you want may change during the exam or overtime and the only thing you would then have to change is the report ini file.

Hopefully I have not confused everyone. Some of the code is ugly and all the comments may not be there so I apologize for that. As always report problems and so forth back to me and hopefully it helps out, saves time and gets you the data you need.

The zip file with all the goodies can be found here.


1 comment:

Anonymous said...

Just like any generic pharmaceutical, Zenegra Generic Viagra online are less expensive than the brand name equivalent cheap Viagra . The reason that you can buy Zenegra generic Buy Cialis for less at a online drugstore is that you don't pay for branding, marketing, advertising or a costly sales force or overhead. The cost savings are past directly on to you.