Security Incidents mailing list archives
RE: Possible new trojan?
From: Ryan Hill <rhill () xypoint com>
Date: Fri, 14 Sep 2001 16:50:31 -0700
4. Did you check the contents of the Run, RunServices, RunOnce Registry keys (if the target system is a MS platform)?No - but I'd like a tool that can decipher the 'ntuser.dat' file, so we don't have to log on as the specific user that caused the problems. Does anyone known of a way of 'reading'/enumerating a users own registryfile (HKCU)? There is supposedly a driver for Linux, to mount the registryfile - and browse everything like a directory. But that seems to be like crossing the river for water...
Assuming the user has previously logged on the machine, the entire user registry profile will be stored under HKLU, and listed by the user's SID. Regards, Ryan Hill, MCSE Network & Systems Engineer Corporate Information Systems Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com v: 206.792.2276 - f: 206.792.2001 pgp: 0x17CE70AB ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible new trojan? Mike Blomgren (Sep 13)
- Re: Possible new trojan? H C (Sep 13)
- <Possible follow-ups>
- Re: Possible new trojan? Mike Blomgren (Sep 13)
- Re: Possible new trojan? Daniel Martin (Sep 17)
- RE: Possible new trojan? Ryan Hill (Sep 14)