Windows Registry is like an underground maze. Whenever we feel like we know something about it, we find that it also contains a new maze ...... We have a lot of registry modification tools, but they are always available only after the registry is modified by software. How can we find out when the registry is changed? Many anti-virus software ignores registry protection, which is often a breeding ground for Trojans!
The Registry is a huge database. We only have a static understanding of it. In fact, it is more meaningful to understand the dynamic data changes in the registry, because almost all software will modify the registry data during installation and operation, and these registry data changes may be harmful, for example, the auto-start data added by the trojan program. By monitoring the registry, you can observe the changes in the data. By analyzing the dynamic changes in the registry data, you can also learn more about the secrets of the Registry. The following describes the system secrets through three registry monitoring instances.
Super Rabbit secret
Many friends like to use super rabbits to modify some system options, which is really convenient to use. However, for some friends who like to ask the truth about everything, they may always have a question: what data does Super Rabbit modify in the registry? How did software authors find them? These are the secrets of super rabbits. In general, it is hard to know, but you can find it very simple by monitoring the registry using Regmon software.
Regmon
Step 1: Run Regmon and click "option> filter> highlight" in the menu. Here, you need to set filter conditions so that Regmon can only display the data modified by the super rabbit on the registry. Enter the path file named "srms.exe" (see figure 1) of the Super Rabbit magic in the Navigation Pane, and select "record writing" and "record success" as shown below. All other options to be monitored are canceled, which greatly reduces useless monitoring data, improve analysis efficiency.
Step 2: click "OK". Then, Regmon will prompt you "do you want to apply the updated filtering settings to the current output ?", Click "yes" to return to the main interface, and press the "Ctrl + X" shortcut to clear the monitoring data displayed in the current window.
Step 3: Run Super Rabbit and open "desktop and Icon → icon options ".
Instance: pivoting "do not use thumbnail acceleration"
Here we will analyze how the "Do not use thumbnail acceleration" technique modifies the registry. Select this option and click "Apply" to switch to Regmon. 13 records are displayed in the window, which is a design problem of Super Rabbit, even if you modify only one option on the page, it will overwrite the registry data corresponding to all options on the page, so a lot of data will be generated.
How can we determine which data is the corresponding data? You only need to cancel the "Disable using thumbnail acceleration" option again, and click the "Apply" button once to return to Regmon. You will find 13 more records in the window, now, by carefully comparing the data of the first 13 records and the last 13 records in the "other" column, we can find that only two records have different data (see figure 2 ).
The "path" column of the two records points to the same registry key value, that is, the "DisableThumbnailCache" key value under the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced Primary Key. From this analysis, we can conclude that the key value "1" indicates that thumbnail acceleration is prohibited, and the key value "0" indicates that the thumbnail acceleration function is allowed.
Tips
Using the Registry dynamic monitoring function of Regmon, you can also monitor some sharing software with limited days to find the registry key value that records the time of use, modify the key value to extend the service life.
What have they done?
The Registry volume is closely related to the system speed, so you do not want the software to write data to the Registry during installation. So how can we know exactly what changes a software has made to the registry? You can use either of the following methods for investigation.
1. FC command
Require (do not use the REG extension ). Hosts file. Open the MS-DOS command window, convert to a directory with the two text files, and then execute the following command:
FC Before.txt After.txt> Diff.txt
Close the DOS window and open the diff.txt file in zookeeper. All the differences found in the Registry are displayed here.
2. RegShot
Regshot helps you understand this information. It can create two snapshots for the Registry before and after software installation. Analyze the snapshot file, find the changed registry data, and output the comparison result as a readable report file.
Software Note: Regshot is a multi-language software. After running, select "Chinese GB" in the language drop-down box in the lower right corner to switch to the simplified Chinese interface.
Example 1: fully capture what UltraISO has done to the Registry
Step 1: Run Regshot and set the report file output format and path. The software provides two options: "TXT document" and "HTML document. Click the first "uptake" button, and select "uptake" from the drop-down menu. Then, Regshot automatically creates a snapshot of the system registry (see figure 3). When the snapshot scan is complete, the first "uptake" button changes to Gray.
Step 2: install the software to be analyzed, such as UltraISO. After installation, switch to the Regshot window, click the second "uptake" button, and select "uptake" as the second Registry snapshot. After the snapshot scan is complete, click "Compare". Regshot compares the two snapshots and automatically opens the generated results report file.
Step 3: The report file shows the changes made to the registry data during UltraISO installation, such as the added primary key, the added key value, and the modified key value.
Tips
Some Software Uninstall programs cannot completely clear all the added data from the Registry. In this case, you can manually clear the useless registry data based on the report file generated by Regshot, for the Registry ".
Catch "moles" in the Registry"
Some software will automatically add self-starting programs after installation without prompting users, and some other trojan programs will secretly implant Trojan self-starting programs in the system, these "actions" are difficult to see intuitively. However, I found that The well-known trojan detection program The Cleaner has a separate real-time registry monitoring tool-TCMonitor. With this tool, we can ensure that The registry is not modified illegally.
TCMonitor
Software Note: The Cleaner software is provided above, which is a shared software, but its component TCMonitor is completely free of charge, but you need to manually extract The component by taking C: \ Program Files \ The cleanerdirectory's unique tcm.exe133 and inclusiren.wav Files can be copied separately.
Step 1: Run “tcm.exe now. First, a prompt box is displayed asking whether to fix associated data and disable script execution. You should select these two options, select the "Please do not ask me again" option, so that it will not prompt again next time, and then click the "OK" button, then TCMonitor will automatically zoom out in the background of the system tray.
Step 2: double-click the tray icon to open the main software interface. The List displays the Registry primary keys being monitored by TCMonitor, which are important data in the system, it is also the easiest place for virus Trojans to intrude into and modify. After learning about this information, close this interface and let it continue working in the background.
Step 3: When a software or virus Trojan is used to modify the monitored key value, TCMonitor immediately sends a sound alarm and a prompt dialog box is displayed, showing the modified primary key (see figure 4 ), if you confirm that the modification is harmless, you can directly click the "Ignore this alarm and accept the changes" button to Ignore the alarm and accept the modification.
If you cannot confirm, click "Examine or edit the changed data". TCMonitor will display the pre-modification (Expected data) and post-modification (Actual data) in the new window) when the registry data changes (see figure 5), you can easily determine whether a change is a normal modification. Click "Reset Alarm" to cancel the Alarm. Click "Launch Editor" to directly call the Registry Editor to open the modified primary key. You can manually modify the modified data.
Tips
In TCMonitor, You can manually edit the list of registry data to be monitored. With this function, you only need to add IE-related data to remind malicious web pages to modify IE at any time. On the TCMonitor main interface, click "Edit → Edit Watch Data", select the "Registry Watch" option, and select the Root Key "HKLM" to be monitored on the right ", complete the primary key "\ SOFTWARE \ Microsoft \ Internet Explorer \ Main", click the "Add" button to Add to the list, and click "Save" to Save the disk. TCMonitor can also monitor files and folders, so these functions will not be detailed.