Does anyone know which registry keys hold the details for the XP logon screen - Programs running and logged on? I know the entry for the email count. Apologies if this has been asked before.
Jesterladd
The email count is from
HKEY CURRENT USER > Software\Microsoft\Windows\CurrentVersion\UnreadMail\
There is a subkey for each email account that is 'polled'.
Does anyone know which registry keys hold the details for the XP logon screen - Programs running and logged on?
What are you referring to? The information that you see on a locked screen isn't stored in the Registry because its not persistent.
I'm assuming that you are referring to the information that I am asking about because the email count on the login screen is, as emeeuk quite rightly states, stored in the registry in the location in the above post.
Persistant or not the information must be derived from somewhere. Your knowledge of this area is probably greater than mine, but I still suspect that it is derived from a registry key - for argument sake let's call it a 'non persistant' registry key.
My curiosity is now well and truly peaked and as I am not a cat, I think I will keep on looking …….
I'm assuming that you are referring to the information that I am asking about because the email count on the login screen is, as emeeuk quite rightly states, stored in the registry in the location in the above post.
That's an incorrect assumption. You stated that you already knew from where the email information was derived.
The name of the currently logged on user that is displayed when the screen is locked is derived from the currently loaded user's hive. The number of running programs is derived from filtering the active process list.
Persistant or not the information must be derived from somewhere. Your knowledge of this area is probably greater than mine, but I still suspect that it is derived from a registry key - for argument sake let's call it a 'non persistant' registry key.
If you find the Registry key that maintains the number of running processes for this scenario/situation, please share it.
Good luck.
I have just completed some more testing and it appears that the program running count comes from the key
HKCU\SessionInformation\Program Count
I have some more testing to do but I'm hopeful.
My apologies the testing is being done initially on XP Home.
That's a good find, but it appears that the Registry value (and its key) may be volatile…I'm not finding it in any of the extracted hives I have available…
Found the key that is tracked this morning, it is at
HKUsers\ {User SID} \SessionInformation
This key is also present in the Vista registry although it does not seem to be utilised by the Vista logon screen as it is by the XP logon screen. Agree with keydet89 that the key and value looks to be volatile. Logging a user off and watching it disappear is a bit of a clue. I also cannot find it in the extracted registry files I have.
Also noted that with both XP and Vista Home versions if multiple people logged on (using switch user) then regedit executed with admin rights can read each users key to determine how many programs those users are running.
Perhaps another tidbit for the live forensics debate? Next step I guess is to find if this information is secured when RAM is imaged? I love my job!!
I post this information for you to do as you will.
Cheers
Agree with keydet89 that the key and value looks to be volatile. Logging a user off and watching it disappear is a bit of a clue. I also cannot find it in the extracted registry files I have.
That's the other clue.
Also noted that with both XP and Vista Home versions if multiple people logged on (using switch user) then regedit executed with admin rights can read each users key to determine how many programs those users are running.
Perhaps another tidbit for the live forensics debate?
Debate? What's to debate about?
Next step I guess is to find if this information is secured when RAM is imaged?
I'm sure you'll find that to be the case, by definition.
Good luck.
