Registry, Types of Hives , Tweaks in Windows using Registry

1. Registry Forensics Prepared By : SOMESH SAWHNEY MOMENTUM INFOCARE PVT. LTD.

6. How It Looks Like ? Top tier items are folders known as keys which, when expanded, display various second tier items, also known as keys. Additional third-tier keys may also be contained within second tier keys, etc In other words, just as Windows has folders and subfolders, the registry has keys and subkeys. Within those keys are values. To see the values a particular key contains, you first select (highlight) the key in the left pane, and the value(s) will appear in the right pane.

8. Backing up the Windows registry Microsoft Windows includes a new feature known as system restore . This great new feature enables a user to backup and restore their important system files from an earlier day. By default this feature automatically creates a backup of the system each day. If you wish to create a restore point of your system follow the below steps. Click Start, Programs, Accessories, System Tools, System Restore Select the option to Create a restore point Click next and follow the remainder steps.

9. Five primary data types in a Registry. Here are the five primary data types in a Registry. REG_SZ (string value) -- numbers and text REG_MULTI_SZ (string array value) -- numbers and text you can edit but not create REG_EXPAND_SZ (expanded string value) -- usually points to the location of files REG_BINARY (binary values) -- binary data REG_DWORD (DWORD values) -- a hexadecimal data type

10. How to disable USB storage devices from a computers in the network. Go to -: HKEY_LOCAL_MACHINEYSTEMurrentControlSetervicessbStortart And set its value to 3-(Enable) , 4 (Disable) It only works if the USB storage driver is already installed. If it has not yet been installed, Windows' plug & play subsystem automatically resets the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in for the first time.

11. Disable Internet Access (All Windows) Open your registry and find the key below. [HKEY_CURRENT_USERoftwareicrosoftindowsurrentVersionnternet Settings] Change the value of "ProxyEnable" and set it to "1". Change the value of "ProxyServer" and set it to an IP address and port that is invalid on your network such as "10.0.0.1:5555" (i.e. "IP:Port"). By changing these settings Internet access will be disabled for any applications that rely of the Microsoft proxy server information such as Internet Explorer, Microsoft Office, Opera browser. To stop users from modifying the proxy settings add these restrictions to disable changes to the Internet configuration. Find or create the key below: [HKEY_CURRENT_USERoftwareoliciesicrosoftnternet Explorerontrol Panel] Create two DWORD values named "Connection Settings" and "Connwiz Admin Lock" and set them both to "1". To remove the restriction, set the proxy settings back to their original values and delete the policy values.

12. Restrict Applications Users Can Run (All Windows) Open your registry and find the key [HKEY_CURRENT_USERoftwareicrosoftindowsurrentVersion oliciesxplorer] Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run. Then create a new sub-key called [HKEY_CURRENT_USERoftwareicrosoftindowsurrentVersion oliciesxplorerestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed (e.g. "regedit.exe"). Restart Windows for the changes to take effect.

13. THANKS A LOT FOR YOUR CO-OPERATION