Notifications
Clear all

Registry references

19 Posts
5 Users
0 Likes
1,786 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Does anyone know of definitive, authoritative reference for Registry keys such as MUICache, UserAssist, and Streams/StreamMRU, for XP?

I'm particularly interested in knowing under what circumstances the keys/values are created, accessed, and updated.

Thanks,

Harlan

 
Posted : 21/11/2005 6:47 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Okay, so what you're telling me is that no one has a clue about these?

Besides what was put out by AccessData, and my own spreadsheet, does anyone have any credible Registry references at all?

Harlan

 
Posted : 26/11/2005 5:17 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Unfortunately, there is no such thing as a definitive guide or reference that I've found. Sure there are books that give you one or two reg keys but even the registry guide for XP is weak when it comes to what's truly in the keys and how it gets there is a whole different story. I think the accessdata sheet and your sheet are just the tip of the iceberg. We all know there is a hell of a lot more stored in the registry…but no one is providing guidance.

I'd try to hook up with some of the MS MVP's for the registry or scour MSDN(which I am sure you've done already).

 
Posted : 28/11/2005 7:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

> Unfortunately, there is no such thing as a definitive guide or reference

Well, I'm on a couple of LEO-type lists (non-LEOs are also included) and I'm trying to create a reference of some type. The only problem is building it…I can't do it all myself, and it's going to be really hard to get folks to follow any kind of submission standard.

I'm sure that in the end, it's going to end up being like most things…there'll be a lot of folks saying things like, "You should include xxx", without either providing the information themselves, or the means for getting it. I just got an email today from someone who said I should include FireWire along with USB removeable storage stuff…I've gotten that same comment several times before, but to date, not one of those people has been willing to loan me any Firewire devices…and they don't seem to be able or willing to provide the necessary information themselves.

Harlan

 
Posted : 28/11/2005 8:11 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

That's true of almost any situation. Look at tenable and Nessus. They had everyone complaining about plugins not being available, but no one really contributed.

A lot of people say "I don't have the time" and for some that may be true. Others will tell you they "don't know how" and that may be true as well. I've found for myself atleast, that if I don't know how…then I should try to figure it out, and if I don't make time to play with these things then I'll never "have" time to do it. I guess some questions I would ask you is, what did you have in mind? Do you have a list of ideas that you'd like to work on?

 
Posted : 28/11/2005 8:17 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

> That's true of almost any situation

Yeah, I'm seeing hard evidence of that.

 
Posted : 28/11/2005 10:27 pm
(@jakec)
Posts: 7
Active Member
 

Harlan etc al.
I have found the following references from Microsoft to
be very useful in explaining some information about
registry keys. It (self-admittedly) does not include
ALL registry keys (including some VERY useful ones),
but it's a pretty good start for anyone looking to learn
about the layout of the registry.

For Win2k (under menu item "Windows 2000 registry reference")
http//www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/default.asp

For 2k3/XP(Under the menu item "Windows 2003 Resource Kit registry reference")
http//www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/ca3f0846-747d-48bc-a877-d8c3532715bc.mspx

 
Posted : 22/12/2005 10:28 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Some info. I requested from Microsoft Premium Support.

MUICache is installed as a registry key when you use sdbinst.exe, the Compatibility Database Installer tool, which is build in to WinXP. KB article 308235 explains about the tool You can use Sdbinst.exe to register a custom database that you create with the Compatibility Administration tool. Using Sdbinst.exe automatically installs and adds fix information to the registry of destination computers.

Among those registry installs is HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache.

UserAssist is a registry key used by IE in Windows 98. It is altered during security updates to the machine. It also is used in Windows 2000 where it contains information about IntelliMenu data for IE Favorites. On a VM installation is will perform somewhat the same function as it does on a Win98 machine. And if you have an instrumented version of Word 2000 the regkey is used to identify Word as the instrumented version. The instrumented version is a “survey” type of Word 2000 that Microsoft used to gather data about how certain functions were used.

Streams/StreamMRU is a set of keys and subkeys that stores “most recently used” information about Windows. That information can define size, views, locations, printers, files, etc. It’s used in WinNT, and Win 9x.

 
Posted : 23/12/2005 12:05 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

arashiryu,

Good information and thanks for posting…but it doesn't explain how these keys can be used from a forensic analyst's perspective. For example, why is some malware using MUICache as an autostart location?

Thanks,

Harlan

 
Posted : 23/12/2005 5:59 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

I agree.

After a search on Symantec's and Sophos site for MUICache I discovered that mostly trojans and dialers plant themselves in this registry location. I also found an article at http//www.securityfocus.com/archive/1/358913 which describes some exploits. Interesting part of the article.

"access to some shell folders is also possible.you can automate the execution of a program using object tag too.When programs are executed using object tag on victim's system there is no need for knowing the exact path to the executables whose MUICACHE name is fixed when such program iscalled using an object the MUICACHE is searched to find an exe with the same MUICACHE name or exe name executables like this are initiated without the need of knowing their exact path."

I'll keep digging for more info. as time permits.

 
Posted : 24/12/2005 10:53 am
Page 1 / 2
Share: