Jump to content











Submitter

SUPPORT TOPIC File Information

  • Submitted: Aug 08 2012 10:01 PM
  • Last Updated: Aug 29 2012 11:01 PM
  • File Size: 2.21MB
  • Views: 8615
  • Downloads: 3666
  • Approved by: amalux
  • Approved on: 08 August 2012 - 11:03 PM

Download SetRegTime v1.0.0.5

- - - - -
registry timestamp forensic



Screenshots
This is a small utility providing only 1 feature. And that is to manipulate registry key's timestamp (LastWriteTime). I could not find much information about this, and some places it is clamed to not be possible. So I decided to make a Proof of Concept.

The LastWriteTime timstamps that every registry key has, is similar to NTFS timestamps. They are 64-bit in UTC and counted in 100 nanosec since 01 January 1601. There does not exist such timestamp for registry values, only for keys. The tool will let you set any timestamp within the whole 64-bit range. It takes immediate effect, as the key is flushed to disk instantly. Since it uses native NT apis in ntdll.dll, it does not work with user friendly registry names like HKEY_LOCAL_MACHINE, HKCU etc. It uwill only take the Windows internal registry names, those starting with \Registry\...

Below is a listing of the most important translations:
HKEY_LOCAL_MACHINE			 \registry\machine
HKEY_USERS					 \registry\user
HKEY_CURRENT_USER			 \registry\user\user_sid
HKEY_CLASSES_ROOT			 \registry\machine\software\classes
HKEY_CURRENT_CONFIG			\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current

The user sid is the one similar to this: S-1-5-21-2895024241-3518395705-1366494917-288

Syntax is:
SetRegTime.exe RegPath timestamp switch
-RegPath is a path similar to the ones listed above.
-Timestamp is in the format YYYY:MM:DD:HH:MM:SS:MSMSMS:NSNSNSNS
-Switch can be "-s" for recursive mode, or "-n" for singel key

Some real world command examples:
Reading timestamp:
SetRegTime_x64.exe "\Registry\Machine\Software\test"

Writing timestamp recursively:
SetRegTime_x64.exe "\Registry\Machine\Software" "1743:04:01:00:00:00:000:0000" -s

Writing timestamps on singel keys:
SetRegTime_x64.exe "\Registry\Machine\System\mounteddevices" "1976:04:01:00:00:00:000:0000" -n
SetRegTime_x64.exe "\Registry\Machine\Security\policy\polacdms" "1944:12:24:00:00:00:000:0000" -n

Some images to lighten up this dry material:
Posted Image
Posted Image

Posted Image

Posted Image

Posted Image


Posted Image

Notice how the modifications look like in the output from RegRipper.


Now usually you will not get access to the security hive just like that, so instead we launch a process from the local system account, and then we have full access. A sample program for launching cmd from the system account can be found in the download for this app. Not very surprising that we can do almost anything when we are SYSTEM. And while at it, since many keys are protected by the TrustedInstaller, which requires a little workaround. For instance you can run the process with the privileges/token of the TrustedInstaller. Have a look at my RunFromToken utility..

Setting the timestamps way off, like for instance outside the range for unix time, may prevent certain tools from decoding the true timestamp. Other tools may only decode timestamps correctly when they are within a certain range, because they where coded so. In these cases, extreme timestamps like 1766 or 2387, may not be decoded/displayed.

What important winapi are utilized?
  • NtCreateKey
  • NtOpenKey
  • NtSetInformationKey
  • NtFlushKey
  • NtQueryKey
  • NtEnumerateKey
This was tested on Windows 7 SP1 x64, but I really don't see any reason why it should not work on previous Windows versions.

Note:
When querying the current timestamp, you may in certain cases get confused by the name of the key returned. But don't worry, it is just the system internal name of the key, as given by the configuration manager. That means for \Registry\Machine\software you may get a name called something like this: CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}

What's New in Version v1.0.0.5 (See full changelog)

  • v1.0.0.5: Swapped NtCreateKey with NtOpenKey, plus some minor stuff.
  • v1.0.0.4: Added recursive option.
  • v1.0.0.3: Added support for querying existing timestamp.






  • 430 Total Files
  • 13 Total Categories
  • 92 Total Authors
  • 6808473 Total Downloads
  • Shell Latest File
  • Mahmoud Latest Submitter

166 user(s) are online (in the past 3000 minutes)

0 members, 166 guests, 0 anonymous users