I think those listed in Autoruns: http://www.microsoft.com/technet/sysinternals/utilities/autoruns.mspx
are quite complete. Rgds. Martin <quote who="Michael Starks"> > > This should get you started (watch for wrapping): > > Null Sessions: > System\CurrentControlSet\Services\LanmanServer\Parameters\NullSession > LSA: System\CurrentControlSet\Control\Lsa > Run: Software\Microsoft\Windows\CurrentVersion\Run > RunOnce: Software\Microsoft\Windows\CurrentVersion\RunOnce > RunOnceEx: Software\Microsoft\Windows\CurrentVersion\RunOnceEx > RunServices: Software\Microsoft\Windows\CurrentVersion\RunServices > Services: System\CurrentControlSet\Services > Known DLLs: System\CurrentControlSet\Control\Session Manager\KnownDLLs > Remote Access: System\CurrentControlSet\Control\SecurePipeServers\winreg > SessionManager-BootExecute: > System\CurrentControlSet\Control\SessionManager\BootExecute > Windows Appinit_DLLs: Software\Microsoft\Windows > NT\CurrentVersion\Windows\AppInit_DLLs > Winlogin AutoAdminLogin: Software\Microsoft\Windows > NT\CurrentVersion\Winlogon\AutoAdminLogon > Winlogin DefaultPassword: Software\Microsoft\Windows > NT\CurrentVersion\Winlogon\DefaultPassword > Winlogin-Shell: Software\Microsoft\Windows > NT\CurrentVersion\Winlogon\Shell > > There are some locations for Windows Certificate Server stuff I have > somewhere. I'll try to get those to you, as well. > > Disclaimer: Most of the items on this list were taken from the config of > a popular commercial HID. It's just registry locations, so I can't see > how this would be a violation of any copyrights. > > Daniel Cid wrote: >> >> Hello everyone, >> >> I just completed adding support for monitoring the Windows registry on >> ossec. It seems to be fairly stable right now and hopefully a beta >> version will be available soon (lots of tests will be required). >> >> The configuration will have the following options available: (inside >> the syscheck area): >> >> <windows_registry>HKEY_LOCAL_MACHINE,HKEY_LOCAL_MACHINE\Software, >> HKEY_USERS\Example</windows_registry> >> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft<registry_ignore> >> >> Where the first option is a list (comma separated) of registry entries >> to monitor and >> the second is a list of entries to ignore. >> >> A question now for you guys (Windows users): >> >> -Which registry entries should we monitor by default? >> >> I was thinking on everything at HKEY_LOCAL_MACHINE\SYSTEM, >> HKEY_LOCAL_MACHINE\SECURITY and HKEY_LOCAL_MACHINE\SAM. >> >> Is there anything else worth checking too? Please let me know your >> comments... >> >> *btw, next version (1.0) is comming soon... >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net
