Security Basics mailing list archives

Re: Dynamicism Of Windows Registry

From: Neil <neil () voidfx net>
Date: Sat, 24 Jun 2006 00:29:41 +0530

Jason T. Hallahan wrote:

Hello and good day:

I have a question. Exactly how dynamic is the Windows Registry?
Specifically, if you were somehow able to monitor in real-time the
changes made to the registry of a system on your network (HW/SW
installation, Processes running, websites visited, etc.) would you be
able to thwart an attack by that system (user), or would it be too
little information, too late?

Thanks for your help.

Best regards,
Jason


I think that's a fairly subjective question.  What is the attack being
run?  If the attack was a pre-made program/script that was run, I think
seeing the registry changes in realtime would not be too helpful (unless
you want to try to kill the process or something, in which case I hope
you have a quick mouse-finger).  On the other hand, if your attacker is
just poking around the system for this or that, and trying various
things out to secure the box, then perhaps you could to something to
shut out the intruder before any harm is done.

However, having a record of the registry changes that were made by the
attack after the attack would probably be very useful in identifying the
damage done, in repairing the system (or judging if it needs to be
rebuilt), and probably even in forensics work.

And I should mention that there is a tool by SysInternals called RegMon
which monitors all registry calls in realtime.

-Neil.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Dynamicism Of Windows Registry Jason T. Hallahan (Jun 22)
- RE: Dynamicism Of Windows Registry Roger A. Grimes (Jun 23)
- Re: Dynamicism Of Windows Registry Colin Bean (Jun 23)
  - RE: Dynamicism Of Windows Registry Vijender Yadav (Jun 26)
- Re: Dynamicism Of Windows Registry Eugene Nine (Jun 23)
- Re: Dynamicism Of Windows Registry Philippe De Ryck (Jun 23)
- Re: Dynamicism Of Windows Registry Neil (Jun 23)
- <Possible follow-ups>
- RE: Dynamicism Of Windows Registry Eric Cooper (Jun 23)