Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Re: Windows Registry Analzyer

from [Dave Korn] Network Security [Permanent Link]
Subject: [Full-Disclosure] Re: Windows Registry Analzyer
Date: Thu, 3 Mar 2005 19:51:09 -0000 
"Cassidy Macfarlane" wrote in message
6C822FACDE1C534CA72836EC615EFC4D3E58@mail.dm.local">news:6C822FACDE1C534CA72836EC615EFC4D3E58@mail.dm.local...

You can, of course, use regmon (sysinternals.com) to monitor the
registry 'live' while changes are being made, however it sounds like you
want a product that would analyse the reg, then re-analyse after
installation, and report on changes.

This would indeed be a handy tool.  Anyone know of anything better than
regmon for this purpose?


  Yes, absolutely.  It's called "InCtrl5" and it is *exactly* what you both
want.

  You run it once, it snapshots the state of the registry, the entire
contents of your HD, and the content of all the various text files such as
autoexec.bat / win.ini / boot.ini / autoexec.nt (etc).  Then it exits.  You
install whatever it is you wanted to install, then run it again; it takes
another snapshot, then compares the two and makes you a nice report showing
*every* change to your system - registry keys and values added, deleted or
modified; files and directories added, deleted or modified; and any changes
to those startup-script text files.

  It needn't be an install.  It'll tell you whatever differences there are
between the before and after snapshots.  What you do in between those two
times is up to you.  For instance it's quite interesting to take a snapshot,
do a reboot, and run the comparison when the machine boots up again, to see
how much volatile stuff gets changed every time you reboot windows.  Or you
can *un*install something, and by checking against the original installation
report (or by snapshotting, installing, running, then uninstalling the app
straight away before finally getting the comparison report) see if it's left
any traces behind.

  It's incredibly useful.  You'll have to google for it though.  It was
originally given away by some PC magazine or other, but they've restricted
access to their archives now.  See what you can find.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Bios programming..., Christian Leber
Next by Date:  RE: [Full-Disclosure] Bios programming..., Matt Marooney
Previous by Thread:  Re: [Full-Disclosure] Windows Registry Analzyer, Dave King
Next by Thread:  Re: [Full-Disclosure] Re: Windows Registry Analzyer, Michael Holstein
Indexes:  [Date] [Thread] [Top] [All Lists]