When analysing a compromised Windows system, investigators and system administrators can glean enormously useful information about attackers’ actions by looking through the Windows registry, a hierarchical database storing tens of thousands of settings on a modern Windows box.
While there are several ways for investigators to interact with the registry, two of the most useful are the built-in regedit GUI-based tool and the reg command-line tool. Regedit has been included in Windows for over a decade, while the reg command is only included in more modern Windows machines, such XP Pro, 2003 Server, Vista and 2008 Server. For this article we’ll focus on the reg command, but provide some information on where the regedit GUI can be helpful. The reg command allows users to view, update, import and export registry key values. But our focus here is on recovering useful forensics evidence, so we’ll zoom in on using the reg command to query important information from the registry.
Determining what users have been up to: The Windows registry is sorted into hives which are big sections of the registry devoted to particular aspects of the machine. The HKCU hive stores information about the currently logged-on user on the box. Suppose the bad guy is a user, perhaps an evil employee who was sitting at the local console of a machine and walked away, or a remote attacker who compromised the system to control its GUI remotely via Remote Desktop, Terminal Services, or Virtual Network Computing (VNC). Such attackers may have used the Windows GUI to start programs or commands on the machine by going to Start→Run…, and then typing the name of the programs to run. Windows records the most recent 26 commands executed in this fashion by the current user in the registry. To pull out this information, an investigator could run:
C:\ reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU