Perhaps this is just the Unix user in me, but I ask:
How about just making a copy of the registry on boot (or at intervals)
and compare it to the last copy?
Note that the following example is untested, but should be mostly
accurate.
Under Windows 2003 and XP you could do:
deltree C:\REG_BACKUP\last
rename C:\REG_BACKUP\latest C:\REG_BACKUP\last
reg export HKLM\SOFTWARE C:\REG_BACKUP\latest\HKLM_SOFTWARE /y
reg export HKLM\SAM C:\REG_BACKUP\latest\HKLM_SAM /y
reg export HKLM\HARDWARE C:\REG_BACKUP\latest\HKLM_HARDWARE /y
rem ... etc, for each key and HKEY type.
rem Example with Windiff which comes with the Windows SDK.
rem Windiff will wish to display to the screen.
rem Try other diff utilities like the GNU diff
rem which you can install from the Cygwin distributon
rem if you wish to have it sent via email.
windiff C:\REG_BACKUP\latest C:\REG_BACKUP\last
rem Gnu diff/sendmail example:
rem c:\cygwin\usr\bin\diff.exe -u -r C:\REG_BACKUP\latest C:\REG_BACKUP
\last | c:\cygwin\usr\bin\sendmail.exe -t "Registry changes"
alerts@example.com
----------
Windows98 has the scanreg utility, but I'm not sure how it works. As
far as I know, by default it saves to c:\<windir>\sysbckup, but it only
seems to throw .dll files there, the registry isn't saved in plain-text.
----------
I'm not sure how, if at all, to do this under Windows NT4 and Windows
2000.
----------
Once you have these .reg files, you can do all kinds of things with
them. Compare the registries of various machines which should have an
identical configuration to help detect worms. Create a web-based
registry editor. Have them automatically printed, faxed, emailed,
telephoned (text->speech), etc.
Good luck.
--
Eric Windisch <lists@bwbohh.net>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
