16 Nov 2012

List of "safe" values.

I have been studying the values that remain unchanged over the time in a typical registry hive in order to populate the list of "safe" values to use with Regkeval.

When I reviewed the timestamps of the registry keys in Windows 7 and Windows XP I found basically the same behaviour but with a significant difference. In Windows 7 there are between 60 and 70 thousand keys that remain over the years with the date of the compilation, that is, 2009-07-14.

I guess that it must be the date of my localized version as it is said in the Wikipedia (http://en.wikipedia.org/wiki/Windows_7 ) :
Windows 7 RTM is build 7600.16385.090713-1255, which was compiled on July 13, 2009...

In Windows XP there are between 60 and 70 thousand keys that remain unchanged over the years but in this case the oldest timestamp is the moment of the installation.

There are few keys with new timestamp per month and the only big increase occurs when it is installed or updated the Microsoft Office suite. Then there is an increase of 30 to 40 thousand keys timestamped.
Of course that I can say this because then again they remain unchanged over the months.

What I have included in the list as trusted or safe values are all the values under this keys that remain unchanged from the initial installation. And furthermore I have considered in the last version of the tool that all the values in this list that don't match the expected value will be marked as suspicious.

In my experience I have around four hundred of this suspicious keys in the output but they are motivated by differences in version numbers. Because the expected value is showed in the column of the timestamp between square brackets It is very easy to discard this warnings.

All this said you can expect using the list provided a 33% of the output classified as "safe".

Now it is up to you to include more values to finally have a list that can save you time based on the configuration of your environment or simply by adding values of well known software installations.

And remember that this evaluation based only in the name of the values is intended to be only a very first impression of what might be happening in the system.

If you want give it a try: http://code.google.com/p/regkeval/



Etiquetas: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)