Understanding the windows registry. This is following the previous post Software Assessment 1 . What we have done is installed the software using InstallWatch. This has given us a listing of all deleted, added, and modified registry keys and files. Now it's time to process this information. Let's talk about the windows registry. Basically the registry is just a database to hold settings for the operating system and the software installed. The five main trees of the registry are:
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG
I don't have a link for HK_USERS, but basically that just contains information about each active user who has a user profile. So this information is nice and good but how does it help. For example with a typical software installation you might see about 10,000 registry changes. The proper thing would be to go through each one and ensure that the key change does not affect the security of our machine. But in the real world there is not enough time. So I have broken down this task using the following:
The information contained in HKEY_CLASSES_ROOT is identical to information found in the subkey HKEY_LOCAL_MACHINE\Software\Classes. Actually, these two objects are physically the same. A change made in one will automatically modify the other. - So we will ignore all HKEY_CLASSES_ROOT changes.
Then I like to focus in on these keys:
HKEY_LOCAL_MACHINE\Hardware\ - hardware changes
HKEY_LOCAL_MACHINE\SAM\ - account changes
HKEY_LOCAL_MACHINE\Security\ - security settings
HKEY_LOCAL_MACHINE\System\ - contains information about the system and system configuration
Changes in these keys can have the effect of changing the system causing it to be inoperable or change the security of the system. Should review all changes made in the above areas.
Key to look out for is the:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run or RunOnce - these keys will auto run a program
HKEY_CURRENT_CONFIG, key is basically the hardware profile. I usually review these changes to see what is going on. An example of something to look for is HKLM\System\Current ControlSet\Services\Tcpip\Parameters\ - this changes the tcp/ip parameters. Info on CurrentControlSet.
It should be noted the information in HKEY_CURRENT_CONFIG is the same as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles
Our last two are the HKEY_USERS and the HKEY_Current_USER, the data in the current_user is actually a pointer to HKEY_USERS\Security. To make things easier I would just review the changes made to HKEY_USERS to see if anything seems out of place.
So basically you can now sort the information into two categories:
- HKEY_LOCAL_MACHINE\Software\Classes
- Everything else (except the HKEY_CLASSES_ROOT).
The HKLM\Software\Classes keys will contain all the information about the software you are installing, however they usually do not affect the security of the machine - I do keep a log of them as reference if a question arises. These keys can affect compatibility.
If you want to do an in-depth analysis, then you should check each key to ensure that this program is not affecting another already installed program. I find that by splitting up the keys into these two categories we go from about 10,000 to review into 30-40 keys to review. Basically just by looking at the keys it is easy to determine what they are doing or use google!
So how to parse the big list? Why the power of excel of course. I have an automated script that imports the output from InstallWatch and
performs the following:
1. Ignore all HKEY_Classes_Root
2. Log all HKEY_LOCAL_MACHINE\Software\Classes\*\*\ to 5 places, if another key change is the same to 5 places then we ignore it
3. Log anything else to 5 places *\*\*\*\*\, if another key change is the same to 5 places then we ignore it
4. Separate the entries from steps 2 and 3 into 2 different spreadsheets
5. Just review entries from step 3, to see if any key changes affect the security of the system.
Now is this perfect, not always, but allows us to assess the software in a relative short time frame, when we need just to get an understanding of how the software will affect our secure system. Also from this we will have log files that we can go back and review if a problem arises.
Two good books on this subject are:
Mastering Windows XP Registry by Peter Hipson
Professional Windows Desktop and Server Hardening by Roger A. Grimes - This book has the following website, with downloadable files, one file to look at is the MasterTable file. Happy Registry Analyzing!
0 comments:
Post a Comment