9. System Boot autostart programs:
NTUSER.DAT
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion \Run Once
Software Hive
Software\Microsoft\ Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Software\Microsoft\ Windows\CurrentVersion \Run
System Hive:
SYSTEM\CurrentControlSet\Services
0x0 (Hexadecimal) or 0 (Decimal): Boot start - The service starts during the system boot process.0x1 (Hexadecimal) or 1 (Decimal): System start - The service starts during the system initialization.0x2 (Hexadecimal) or 2 (Decimal): Automatic start - The service starts automatically when the system starts.0x3 (Hexadecimal) or 3 (Decimal): Manual start - The service must be started manually by the user or another program.0x4 (Hexadecimal) or 4 (Decimal): Disabled - The service is disabled and cannot be started.
Key usefulness:
Determine programs that will start automatically
Useful to find malware on a machine that installs on boot such as a rootkit
Look at when the time key was last updated, generally this would be the last boot time of the system
10. Shutdown information:
Discover when the system was last shut down
Discover how many successful times the system was shut down
System hive:
SYSTEM\CurrentContro1Set\Control\Windows (Shutdown Time)
SYSTEM\CurrentContro1Set\Control\Watchdog\Display (Shutdown Count)
CMD:
reg query HKLM\SYSTEM\CurrentControlSet\Control\Windows
Notice the shutdown time is in hex. This time is in Windows 64-bit time. Luckily, we can utilize Decode Date on your desktop, we can write the values and press decode. It will tell us the date that is stored at that location.
Akash Patel
Comments