Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Cleaning the registry.
New Posts  All Forums:Forum Nav:

Cleaning the registry. - Page 5

post #41 of 42
... [eerrrrr] Ops, I was going to re-edit this instead but forgot. My bad.
Edited by mushroomboy - 7/24/11 at 7:13pm
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
post #42 of 42
Quote:
Originally Posted by Spooony View Post
dunno what explorer is doing here
What your images tell me is that you had explorer.exe go through a period where it sent QueryValue for a registry key and got NOT FOUND.

http://www.eptuners.com/forensics/co...tm#UserAssist:
Code:
UserAssist:

The UserAssist key, HCU\\Software\\Microsoft\\Windows\\CurrentVersion \\Explorer\\UserAssist, 
contains two or more subkeys which have long hexadecimal names that appear as globally unique 
identifiers (GUIDs).  Each subkey records values that pertain to specific objects the user has 
accessed on the system, such as Control Panel applets, shortcut files, programs, etc.  These 
values however, are encoded using a ROT-13 encryption algorithm, sometimes known as a Caesar 
cipher.  This particular encryption technique is quite easy to decipher, as each character is 
substituted with the character 13 spaces away from it in the ASCII table.  A much faster and 
easier method to decipher this code is with the use of an online ROT-13 decoder, such as 
http://www.edoceo.com/utilis/rot13.php.
 
Figure 3 – UserAssist Key
 
Figure 3a – ROT-13 cipher decoded


    With the UserAssist key, a forensic examiner can gain a better understanding of what types of 
files or applications have been accessed on a particular system.  Even though these entries are 
not definitive, for they cannot be associated with a specific date and time, it may still indicate a 
specific action by the user.

    For instance, in the example of Figures 3 and 3a the decoded value can show a potential 
amount of information.  First, it tells the name of the user profile – “Cpt. Krunch” – from which the 
.exe was executed from.  Cpt. Krunch could also indicate a handle or an alias of some sort.  
Second, by researching “p2ktools.exe”, it tells that it is a program used for editing and managing 
Motorola cell phones.  Finally, it shows the user has the p2ktools folder in a parent directory called 
“Razor programs”, which is located on their desktop.  Not only does this give the location of where 
similar programs may reside, but the name of this directory is a good indicator that the suspect 
has a Motorola Razor cell phone.  If so, that too should be seized for further analysis.
It also seems the data you have is from an intentional feature to record data on MS? It seems
that it's logging data? So essentially you can't stop that unless you figure out why it's
logging. So your not really cleaning up bad data there, while it seems nice that it might have been
something "left behind" it wasn't.

[edit] After more research I've found that UserAssist seems to log user activity. For whatever reason, I don't particularly care. Either way it's a bad example as you don't ever get 400 lines by standard use.
Edited by mushroomboy - 7/27/11 at 8:44am
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Windows
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › Cleaning the registry.