Included in several versions of Microsoft Windows -- XP Professional, Vista, Server 2003 and Server 2008 -- is the reg.exe command, which allows a query or update of information in the registry. This great command-line tool can be used locally or against remote systems to dump whole sections of the registry recursively.
Auto-start registry keys
Investigators can benefit by pulling data from three important registry keys that control some of the auto-start behavior of Windows boxes: the "Run" registry keys. When a user logs on locally to a system, programs identified in the settings of these registry keys are automatically executed:
Many malware specimens (as well as a lot of legitimate programs) run every time the system starts up by adding an entry to these registry locations. Query these locations using the reg command as follows:
C:\> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
C:\> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
C:\> reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Because a typical Windows machine may have a half dozen or more legitimate entries here, a forensics investigator will need to separate the good from the malicious by diligently researching each discovered item. This can be done via Web searches and/or by grabbing a copy of unusual autostart programs for further analysis.
When querying these or other items from HKLM (or HKU, where user account and related information is stored), use the reg command against a remote Windows machine across the network with Windows Server Message Block (SMB) connections. Unfortunately, the reg tool works remotely only for items in HKLM and HKU. It can't pull data from other hives in the registry, including the HKCU items we looked at last month. This forces forensics investigators to pull HKCU data by running commands locally on the target machine.
To query HKLM and HKU remotely with the reg command, the Remote Registry service must be started on the target machine, which is activated by default on many versions of Windows (other than Vista). Start by setting up an SMB session with the target using administrator credentials:
C:\> net use \\[TargetIPaddr] /u:[AdminName]
Enter the password for that admin user when prompted, then, with that session open, use the reg command to query items in HKLM as follows:
C:\> reg query \\[TargetIPaddr]\HKLM\Software\Microsoft\Windows\CurrentVersion\Run
USB drive & iPod history
Beyond these autostart keys, the registry also remembers information about every USB token ever plugged into the system. I've worked on a number of cases in which I needed this information. To query for all tokens that have ever been plugged into the Windows machine, run this command:
C:\> reg query HKLM\System\currentcontrolset\enum\usbstor /s
Alternatively, suppose an investigator wants to look for specifics about an iPod device that may or may not have been connected to a machine. He or she can run the same reg command, this time piping its output through the find command to look for the string "ipod," as follows:
C:\> reg query HKLM\System\currentcontrolset\enum\usbstor /s | find /i "ipod"
Note that we've used the find command with the /i option to make it case insensitive.
Identifying network interfaces
To pull the IP address and related configuration information for all network interfaces on the device, run this command:
C:\> reg query hklm\system\currentcontrolset\services\tcpip\parameters\interfaces /s
Some immensely useful output of this command -- beyond the IP address, netmask, default gateway and DNS server -- is the "LeaseObtainedTime" parameter, a hexadecimal number. This value indicates when the local machine received its DHCP information, which often occurs when the system first boots up or joins a network. With this data, an investigator has an idea of when a given machine first engaged in network activity, information that is useful in building timelines for cases.
The hexadecimal number of LeaseObtainedTime represents the seconds that have transpired since 12:00 a.m. on Jan. 1, 1970, the beginning of the Unix Epoch. For example, my current "LeaseObtainedTime" is 0x4856d93a. I convert the lower-case d and a to capitals, then look up that time (4856D93A) with the free calculator at http://dan.drydog.com/unixdatetime.html that converts the seconds in hex to actual dates. In this example, my computer obtained its lease on June 16, 2008, at 9:20:58 a.m. That date is relative to the current clock on the computer whose registry we've queried, so it's also useful for investigators to pull the current time and date, which they can do using:
C:\> time /t & date /t
Because the output time is in HH:MM form, to make further sense of it, investigators will need to know the time zone of the machine, which they can pull with the command:
C:\> reg query hklm\system\currentcontrolset\control\timezoneinformation
Windows firewall commands
Another helpful query is the configuration of the built-in Windows personal firewall, which can be accessed by running the following command:
C:\> reg query hklm\system\controlset001\services\sharedaccess\parameters\firewallpolicy /s
This output shows the ports the firewall allows through the programs it lets communicate on the network, plus a myriad of other configuration settings. Thus, investigators may be able to determine whether a computer attacker disabled the firewall or reconfigured it to allow access for nefarious activities. For similar information in a better-parsed fashion, an investigator could alternatively run:
C:\> netsh firewall show config
While we've looked at some of the most useful items I've relied on in past investigations, the registry is chock full of additional helpful items. I encourage readers to continue their journey through the Windows registry, looking for additional useful queries, relying on a healthy combination of the powerful reg command, the public documentation available from sources such as Microsoft (though sometimes scanty), and hunches and insights.
About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004-2007Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in October 2008