RegistryMonitor


RegMon, shown in Figure A-2, is a real-time registry monitor that displays the names of the applications accessing the registry, the keys that are being accessed, and the data that is being read and written.

image from book
Figure A-2

RegMon catches all registry activity taking place on a host machine. On Windows NT, 2000, and XP, RegMon loads a device driver that uses kernel system call table hooking to intercept and augment registry system services.

On a Windows .NET Server, RegMon takes advantage of the newer operating system registry callback mechanism to register for and receive information about registry accesses as they occur.

When RegMon sees an open, create, or close call, it updates an internal hash table that serves as the mapping between key handles and registry path names. Whenever it sees handle-based calls, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a key that was opened before RegMon was started, RegMon will fail to find the mapping and will simply present the key’s value instead.

All monitored registry information is dumped into an ASCII buffer and periodically transferred to the main Registry Monitor window. Simply execute the Registry Monitor program file (regmon.exe) and RegMon will immediately begin capturing registry traffic.

Menu items and toolbar buttons can be used to toggle on and off monitoring, disable event capturing, control the scrolling of the main window, and save the contents of the main window to an ASCII file.

Use the Filter dialog, which is accessed through a toolbar button or the Options image from book Filter/Highlight menu selection, to select what data will be displayed. The ‘*’ wildcard matches arbitrary strings, and the filters are case insensitive. Only matches that are shown in the include filter, but not excluded with the exclude filter, are displayed. Use ‘;’ to separate multiple strings in a filter (e.g., “regmon;software”).

For example, if the include filter is “HKLM” and the exclude filter is “HKLM\Software” all references to keys and values under HKLM, except to those under HKLM\Software, will be monitored.

Wildcards allow for complex pattern matching, making it possible, for example, to match specific registry accesses by specific applications. The include filter “Winword*Windows” would have RegMon only show accesses by Microsoft Word to keys and values that include the word “Windows.”

Use the Highlight Filter option to specify the output that you want highlighted. Select highlighting colors with Options image from book Highlight Colors.

RegMon can either timestamp events or show the time elapsed from the last time you cleared the output window (or since you started RegMon). The Options menu and the clock toolbar button enable you to toggle between the two modes. The button on the toolbar shows the current mode with a clock or a stopwatch. When showing duration, the Time field in the output shows the number of seconds it took for the underlying file system to service particular requests.

To edit a registry key or value shown in RegMon’s output, simply double-click the key or value (or use the Regedit toolbar button or the Edit image from book Regedit Jump menu option) and RegMon will open the registry editor and index that specific key or value.

If you stop scrolling, select an entry from the process of interest, right-click the entry, and select Include Process, RegMon will only show registry traffic initiated by that process. This is a great way to find out what your process, or a process under investigation, is doing.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net