RE: [Full-Disclosure] Re: Windows Registry Analzyer
>> No, it would be completely useless. In case you didn't realise, the >> registry is not an ASCII text file, it's megabytes of unintelligible >> binary gibberish. >Since Windows 2000 regedit exports registry in an Unicode LE >text file. Not ASCII but quite intelligible text ;) Yes but win2k / winxp regedit can export both ASCII as well as UNICODE - aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Windows Registry Analzyer
Hello, Dave Korn! No, it would be completely useless. In case you didn't realise, the registry is not an ASCII text file, it's megabytes of unintelligible binary gibberish. Since Windows 2000 regedit exports registry in an Unicode LE text file. Not ASCII but quite intelligible text ;) -- Best regards, Raoul Nakhmanson-Kulish Elfor Soft Ltd., IT Department http://www.elforsoft.ru/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Windows Registry Analzyer
does not symantec have a tool in the system works package that does exactly what he asks, as well as the ability to role back the reg? Thanks, Ron DuFresne On Thu, 3 Mar 2005, Handy, Mark (IT) wrote: > Surely you can simply export before and after your action and use > windiff on the two files > > Mark Handy > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric > Windisch > Sent: 03 March 2005 21:48 > To: Dave Korn > Cc: [email protected] > Subject: Re: [Full-Disclosure] Re: Windows Registry Analzyer > > On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote: > > No, it would be completely useless. In case you didn't realise, the > > > registry is not an ASCII text file, it's megabytes of unintelligible > > binary gibberish. > > The registry can be exported to ASCII text, edited, and re-imported. > Have you ever opened a .reg file? > > > -- > Eric Windisch <[EMAIL PROTECTED]> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > NOTICE: If received in error, please destroy and notify sender. Sender does > not waive confidentiality or privilege, and use is prohibited. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Windows Registry Analzyer
Surely you can simply export before and after your action and use windiff on the two files Mark Handy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Windisch Sent: 03 March 2005 21:48 To: Dave Korn Cc: [email protected] Subject: Re: [Full-Disclosure] Re: Windows Registry Analzyer On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote: > No, it would be completely useless. In case you didn't realise, the > registry is not an ASCII text file, it's megabytes of unintelligible > binary gibberish. The registry can be exported to ASCII text, edited, and re-imported. Have you ever opened a .reg file? -- Eric Windisch <[EMAIL PROTECTED]> ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Windows Registry Analzyer
On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote: > No, it would be completely useless. In case you didn't realise, the > registry is not an ASCII text file, it's megabytes of unintelligible binary > gibberish. The registry can be exported to ASCII text, edited, and re-imported. Have you ever opened a .reg file? -- Eric Windisch <[EMAIL PROTECTED]> ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Windows Registry Analzyer
No, it would be completely useless. In case you didn't realise, the registry is not an ASCII text file, it's megabytes of unintelligible binary gibberish. True, but there are many programs (the Linux Registry Editor, for example) that can open it. http://developer.berlios.de/projects/tlr-regedit ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Windows Registry Analzyer
Yes, absolutely. It's called "InCtrl5" and it is *exactly* what you both want. Found it : http://publicdata.home.comcast.net/inctrl5.zip Also note : this is Plugin #56 on PartPE (which would be quite useful for forensics -- you could boot the undisturbed system under BART, grab a snapshot, do (x), and grab a comparison snapshot agian under BART -- thus avoiding all the other volitle crud that changes between Windows reboots). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Windows Registry Analzyer
"Cassidy Macfarlane" wrote in message news:[EMAIL PROTECTED] > You can, of course, use regmon (sysinternals.com) to monitor the > registry 'live' while changes are being made, however it sounds like you > want a product that would analyse the reg, then re-analyse after > installation, and report on changes. > > This would indeed be a handy tool. Anyone know of anything better than > regmon for this purpose? Yes, absolutely. It's called "InCtrl5" and it is *exactly* what you both want. You run it once, it snapshots the state of the registry, the entire contents of your HD, and the content of all the various text files such as autoexec.bat / win.ini / boot.ini / autoexec.nt (etc). Then it exits. You install whatever it is you wanted to install, then run it again; it takes another snapshot, then compares the two and makes you a nice report showing *every* change to your system - registry keys and values added, deleted or modified; files and directories added, deleted or modified; and any changes to those startup-script text files. It needn't be an install. It'll tell you whatever differences there are between the before and after snapshots. What you do in between those two times is up to you. For instance it's quite interesting to take a snapshot, do a reboot, and run the comparison when the machine boots up again, to see how much volatile stuff gets changed every time you reboot windows. Or you can *un*install something, and by checking against the original installation report (or by snapshotting, installing, running, then uninstalling the app straight away before finally getting the comparison report) see if it's left any traces behind. It's incredibly useful. You'll have to google for it though. It was originally given away by some PC magazine or other, but they've restricted access to their archives now. See what you can find. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Windows Registry Analzyer
"Eric Windisch" wrote in message news:[EMAIL PROTECTED] > Perhaps this is just the Unix user in me, but I ask: > How about just making a copy of the registry on boot (or at intervals) > and compare it to the last copy? > > Note that the following example is untested, but should be mostly > accurate. No, it would be completely useless. In case you didn't realise, the registry is not an ASCII text file, it's megabytes of unintelligible binary gibberish. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
