Re: Possible new trojan?

[Daniel Martin <dtmartin24 () home com>]

"Mike Blomgren" <mike.blomgren () ccnox com> writes:

> No - but I'd like a tool that can decipher the 'ntuser.dat' file, so we 
> don't have to log on as the specific user that caused the problems. 
> Does anyone known of a way of 'reading'/enumerating a users own 
> registryfile (HKCU)? There is supposedly a driver for Linux, to mount 
> the registryfile - and browse everything like a directory. But that 
> seems to be like crossing the river for water...

Well, first off you can probably find the user's tree sitting under
the registry entry HKEY_USERS\S-{whatever}\ on any machine they've
logged into.

But, assuming that you just have the ntuser.dat file (say you ftp'ed
it over, or carried it on floppy to an unaffected machine), then the
easiest thing to do is to load the registry hive contained in that
file into your registry, say as the key
 HKEY_USERS\ProblemGuy
This is, in concept, very similar to mounting a filesystem on a unix
machine - you can tell NT that all the registry entries under that key
will refer to entries in the ntuser.dat file that you copied over.

To do this, start up regedt32 and, if it's not already open, open the
local registry.  (From the Registry menu)  Then go to HKEY_USERS from
the Window menu, and select HKEY_USERS in the window that pops up.
Then select "Load hive" from the Registry menu and choose the file you
want to examine; when asked for the key name say "ProblemGuy".  You
can then examine the registry tree under HKEY_USERS\ProblemGuy to your
hearts content with your favorite registry examination tools; just
don't forget to unload the hive when finished.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com