Submitter
SUPPORT TOPIC File Information
- Submitted: Aug 08 2012 10:01 PM
- Last Updated: Aug 29 2012 11:01 PM
- File Size: 2.21MB
- Views: 8615
- Downloads: 3697
- Approved by: amalux
- Approved on: 08 August 2012 - 11:03 PM
Download SetRegTime v1.0.0.5
registry timestamp forensic
1
This is a small utility providing only 1 feature. And that is to manipulate registry key's timestamp (LastWriteTime). I could not find much information about this, and some places it is clamed to not be possible. So I decided to make a Proof of Concept.
The LastWriteTime timstamps that every registry key has, is similar to NTFS timestamps. They are 64-bit in UTC and counted in 100 nanosec since 01 January 1601. There does not exist such timestamp for registry values, only for keys. The tool will let you set any timestamp within the whole 64-bit range. It takes immediate effect, as the key is flushed to disk instantly. Since it uses native NT apis in ntdll.dll, it does not work with user friendly registry names like HKEY_LOCAL_MACHINE, HKCU etc. It uwill only take the Windows internal registry names, those starting with \Registry\...
Below is a listing of the most important translations:
The user sid is the one similar to this: S-1-5-21-2895024241-3518395705-1366494917-288
Syntax is:
-Timestamp is in the format YYYY:MM:DD:HH:MM:SS:MSMSMS:NSNSNSNS
-Switch can be "-s" for recursive mode, or "-n" for singel key
Some real world command examples:
Some images to lighten up this dry material:
Notice how the modifications look like in the output from RegRipper.
Now usually you will not get access to the security hive just like that, so instead we launch a process from the local system account, and then we have full access. A sample program for launching cmd from the system account can be found in the download for this app. Not very surprising that we can do almost anything when we are SYSTEM. And while at it, since many keys are protected by the TrustedInstaller, which requires a little workaround. For instance you can run the process with the privileges/token of the TrustedInstaller. Have a look at my RunFromToken utility..
Setting the timestamps way off, like for instance outside the range for unix time, may prevent certain tools from decoding the true timestamp. Other tools may only decode timestamps correctly when they are within a certain range, because they where coded so. In these cases, extreme timestamps like 1766 or 2387, may not be decoded/displayed.
What important winapi are utilized?
Note:
When querying the current timestamp, you may in certain cases get confused by the name of the key returned. But don't worry, it is just the system internal name of the key, as given by the configuration manager. That means for \Registry\Machine\software you may get a name called something like this: CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}
The LastWriteTime timstamps that every registry key has, is similar to NTFS timestamps. They are 64-bit in UTC and counted in 100 nanosec since 01 January 1601. There does not exist such timestamp for registry values, only for keys. The tool will let you set any timestamp within the whole 64-bit range. It takes immediate effect, as the key is flushed to disk instantly. Since it uses native NT apis in ntdll.dll, it does not work with user friendly registry names like HKEY_LOCAL_MACHINE, HKCU etc. It uwill only take the Windows internal registry names, those starting with \Registry\...
Below is a listing of the most important translations:
HKEY_LOCAL_MACHINE \registry\machine HKEY_USERS \registry\user HKEY_CURRENT_USER \registry\user\user_sid HKEY_CLASSES_ROOT \registry\machine\software\classes HKEY_CURRENT_CONFIG \Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current
The user sid is the one similar to this: S-1-5-21-2895024241-3518395705-1366494917-288
Syntax is:
SetRegTime.exe RegPath timestamp switch-RegPath is a path similar to the ones listed above.
-Timestamp is in the format YYYY:MM:DD:HH:MM:SS:MSMSMS:NSNSNSNS
-Switch can be "-s" for recursive mode, or "-n" for singel key
Some real world command examples:
Reading timestamp: SetRegTime_x64.exe "\Registry\Machine\Software\test" Writing timestamp recursively: SetRegTime_x64.exe "\Registry\Machine\Software" "1743:04:01:00:00:00:000:0000" -s Writing timestamps on singel keys: SetRegTime_x64.exe "\Registry\Machine\System\mounteddevices" "1976:04:01:00:00:00:000:0000" -n SetRegTime_x64.exe "\Registry\Machine\Security\policy\polacdms" "1944:12:24:00:00:00:000:0000" -n
Some images to lighten up this dry material:
Notice how the modifications look like in the output from RegRipper.
Now usually you will not get access to the security hive just like that, so instead we launch a process from the local system account, and then we have full access. A sample program for launching cmd from the system account can be found in the download for this app. Not very surprising that we can do almost anything when we are SYSTEM. And while at it, since many keys are protected by the TrustedInstaller, which requires a little workaround. For instance you can run the process with the privileges/token of the TrustedInstaller. Have a look at my RunFromToken utility..
Setting the timestamps way off, like for instance outside the range for unix time, may prevent certain tools from decoding the true timestamp. Other tools may only decode timestamps correctly when they are within a certain range, because they where coded so. In these cases, extreme timestamps like 1766 or 2387, may not be decoded/displayed.
What important winapi are utilized?
- NtCreateKey
- NtOpenKey
- NtSetInformationKey
- NtFlushKey
- NtQueryKey
- NtEnumerateKey
Note:
When querying the current timestamp, you may in certain cases get confused by the name of the key returned. But don't worry, it is just the system internal name of the key, as given by the configuration manager. That means for \Registry\Machine\software you may get a name called something like this: CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}
What's New in Version v1.0.0.5 (See full changelog)
- v1.0.0.5: Swapped NtCreateKey with NtOpenKey, plus some minor stuff.
- v1.0.0.4: Added recursive option.
- v1.0.0.3: Added support for querying existing timestamp.
- 430 Total Files
- 13 Total Categories
- 92 Total Authors
- 6876959 Total Downloads
- Rufus Latest File
- Akeo Latest Submitter
129 user(s) are online (in the past 3000 minutes)
0 members, 129 guests, 0 anonymous users