Tip

Windows registry forensics guide: Investigating hacker activities

Ed Skoudis explains how investigators and administrators can interact with the Windows registry to analyse a compromised system.

When analysing a compromised Windows system, investigators and system administrators can glean enormously useful information about attackers' actions by looking through the Windows registry, a hierarchical database storing tens of thousands of settings on a modern Windows box. Whether an outside attacker compromised the box, an inside employee engaged in nefarious activities, or malware inexplicably infected the machine, the Windows registry contains wonderful gems of information for investigators. In this tip, we'll look at what information investigators can gather about user activity via the registry. Next month, we'll focus on how investigators can pull useful registry information associated with the overall operating system.

Interacting with the registry
While there are several ways for investigators to interact with the registry, two of the most useful are the built-in regedit GUI-based tool and the reg command-line tool. Regedit has been included in Windows for over a decade, while the reg command is only included in more modern Windows machines, such XP Pro, 2003 Server, Vista and 2008 Server. For this article we'll focus on the reg command, but provide some information on where the regedit GUI can be helpful. The reg command allows users to view, update, import and export registry key values. But our focus here is on recovering useful forensics evidence, so we'll zoom in on using the reg command to query important information from the registry.

Determining what users have been up to
The Windows registry is sorted into hives which are big sections of the registry devoted to particular aspects of the machine. The HKCU hive stores information about the currently logged-on user on the box. Suppose the bad guy is a user, perhaps an evil employee who was sitting at the local console of a machine and walked away, or a remote attacker who compromised the system to control its GUI remotely via Remote Desktop, Terminal Services, or Virtual Network Computing (VNC). Such attackers may have used the Windows GUI to start programs or commands on the machine by going to Start→Run…, and then typing the name of the programs to run. Windows records the most recent 26 commands executed in this fashion by the current user in the registry. To pull out this information, an investigator could run:

C:\ reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Mercifully, the reg command is case insensitive when referring to registry keys, so an investigator doesn't have to memorise where the cap letters belong in registry key names. I frequently use all lowercase in my invocation of the reg command, because typing is faster that way and I simply can't memorise where the capital letters need to go. The output of the above command, whether used with or without caps, may show that the attacker ran sol.exe (the Windows Solitaire game), followed by a cmd.exe command shell. The attacker may then have launched the lusrmgr.msc GUI to add or remove users, or the services.msc control panel to alter service configuration. I've been involved in cases where the attacker used Start→Run... to mount file shares by typing the syntax "net use * \\[machine]\[share] [password] /u:[user]." The information in this registry key was instrumental in our investigation to find out which other systems the attacker targeted. Please note that the history information in this portion of the registry stores only those items typed into Start→Run…, and does not store the history of programs invoked via some other place in the Start >menu. Further, the command shell history of a cmd.exe is not stored in the registry either, and the commands aren't stored in chronological order. Still, the Start→Run... history can be quite helpful to investigators if the attacker controlled the machine's GUI.

Another nearby setting in the registry that is immensely useful to investigators is the RecentDocs value (stored at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs), which shows the names of recent documents opened by the user currently logged onto the system. These documents are sorted by extension type, such as .doc for Word files or .ppt for PowerPoint files. Unfortunately, the file paths and document names are stored in raw binary values, not in plain ASCII form. Thus, the reg command-line tool will spit out a bunch of hex values without showing their translation into human-readable text. Instead of using the reg command, the regedit GUI will convert these binary values by double-clicking on a specific setting. For example, an investigator could use regedit to navigate to:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.doc

There, the system will show the last ten .doc files the currently logged-on user accessed. By double-clicking on any of the values there, the investigator can cause regedit to display the document paths and names in readable ASCII form.

Additional droppings from user activity stored in the registry are associated with Internet Explorer. In particular, the following command will show all of the URLs the user typed into IE to make it surf to given websites:

C:\> reg query "hkcu\software\microsoft\internet explorer\typedurls"

Note the need to put quotation marks around that registry name because of the space between "internet" and "explorer." Also, note that I've reverted to my "normal" practice of using all lower case with the reg command. With the output of this command, an investigator can glean significant information about where the user made the machine surf by typing in a URL, possibly making the system access pornography or other nefarious sites.

It's important to note the limitations of the values stored under this portion of the registry. The TypedURLs value will not show full browser history, such as search engine queries, links clicked inside a page, or places that malware made the system surf to without typing a URL. However, the TypedURLs output is highly useful for investigators trying to determine the motivation of a suspect. It's a good sign that a user desired to make a system access a given site if he or she deliberately typed the URL into the browser. @52299

Another spot in the registry that is useful for investigators is associated with WinVNC viewer, a tool used for remotely controlling the GUI of other systems. When a user invokes the VNC Viewer to connect to and control another machine, WinVNC stores the system name or IP address (and port number if a port other than the VNC default port of TCP 5900 is used). Thus, investigators can have a history of machines that an attacker accessed to control their GUIs viewable with the command:

C:\> reg query hkcu\software\realvnc\vncviewer4\mru

Again, I've participated in investigations in which the output of this command really helped to gain an in-depth understanding of what an attacker did as he pounced through a target environment.

As we've seen, the registry, in effect, acts like a log for a lot of actions taken by the currently logged-on user of a machine. In these brief tips, we cover some of the most useful areas to analyse, but I'd like to encourage readers to perform their own explorations of the registry to find items useful to investigators. Pop open regedit.exe and look around inside of HKCU\Software, digging for gold that might help unravel a forensics investigation mystery. In next month's tip, we'll look into the HKLM portion of the registry to find useful information about what the overall system has been up to, instead of just the currently logged on user.

About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians.

Read more on Hackers and cybercrime prevention