Undocumented features of Windows: registration of registry key access events
Starting with Windows 8, users of the operating system may notice the following message in the system event log: "The access history in hive [...] was cleared updating [...] keys and creating [...] modified pages . " What is behind this message?
If someone was following the update of the registry structures in debugging symbols, then he could notice that in Windows 8, the Access bits numeric field appeared in the structure responsible for storing the registry key; The corresponding memory area was reserved since Windows NT 3.5 and was previously used in Windows NT 3.1 for storing the numeric value “Title index”. In the structure description below, the reserved field, under the name “Spare”, is at offset + 0x00c, its new name in Windows 8 is “AccessBits”.
As a result of studying the Windows kernel, it was determined that this field is updated each time the registry key is opened or changed in most registry hives, and the log message quoted at the beginning of the article indicates that the specified field is cleared for all registry keys in a particular cluster by writing a zero value. The access bits are cleared when the registry hive is connected, if seven days have passed since the previous clearing of the access bits of this hive.
')
The “Access bits” field is updated by writing values ​​to it in accordance with the following bit masks:
Supported Bit Masks
The call to the NtInitializeRegistry () function, which changes the current bitmask (from 0x1 to 0x2), which is written to the registry keys when they are opened or changed, occurs after the operating system considers the boot process to be successful. Thus, registry keys, for example, opened by services in the process of their launch at the time of loading the operating system, will have access bits with the bit mask set to 0x1. In addition, if the registry key has not been opened since the access bits were cleared, then this key will have a zero value in this field.
This information can be used to select registry keys that could be opened by a malicious program (or any other) running as a service, or opened in general in recent times, as well as to screen out unused registry keys.
It should be noted that in the Windows kernel there is not a single function that allows you to get the current value of the access bits for any registry key, which suggests the idea of ​​the debugging nature of the access bits.
As an example, we will examine in the hexadecimal editor a registry structure that describes the key "\ ControlSet001 \ Services \ RServer3" (registry hive "SYSTEM") immediately after installing the Radmin software, before rebooting, and after rebooting the operating system.
Registry key structure (before reboot)
Registry key structure (after reboot)
In the illustrations above, the bytes in the “Access bits” field are underlined in red, which changed when the operating system was restarted (a value of 3 indicates that bit masks 0x1 and 0x2 are set).
The access bits are small, undocumented Windows functionality, most likely created for debugging purposes, which can be used to track unused registry keys and to track registry keys opened during the pre-load operation of the operating system.
Unfortunately, at present, most programs for viewing an inactive registry do not support the processing and visualization of access bit values.
If someone was following the update of the registry structures in debugging symbols, then he could notice that in Windows 8, the Access bits numeric field appeared in the structure responsible for storing the registry key; The corresponding memory area was reserved since Windows NT 3.5 and was previously used in Windows NT 3.1 for storing the numeric value “Title index”. In the structure description below, the reserved field, under the name “Spare”, is at offset + 0x00c, its new name in Windows 8 is “AccessBits”.
+0x000 Signature : Uint2B +0x002 Flags : Uint2B +0x004 LastWriteTime : _LARGE_INTEGER +0x00c Spare : Uint4B +0x010 Parent : Uint4B +0x014 SubKeyCounts : [2] Uint4B +0x01c SubKeyLists : [2] Uint4B +0x024 ValueList : _CHILD_LIST +0x01c ChildHiveReference : _CM_KEY_REFERENCE +0x02c Security : Uint4B +0x030 Class : Uint4B +0x034 MaxNameLen : Pos 0, 16 Bits +0x034 UserFlags : Pos 16, 4 Bits +0x034 VirtControlFlags : Pos 20, 4 Bits +0x034 Debug : Pos 24, 8 Bits +0x038 MaxClassLen : Uint4B +0x03c MaxValueNameLen : Uint4B +0x040 MaxValueDataLen : Uint4B +0x044 WorkVar : Uint4B +0x048 NameLength : Uint2B +0x04a ClassLength : Uint2B +0x04c Name : [1] Wchar As a result of studying the Windows kernel, it was determined that this field is updated each time the registry key is opened or changed in most registry hives, and the log message quoted at the beginning of the article indicates that the specified field is cleared for all registry keys in a particular cluster by writing a zero value. The access bits are cleared when the registry hive is connected, if seven days have passed since the previous clearing of the access bits of this hive.
')
The “Access bits” field is updated by writing values ​​to it in accordance with the following bit masks:
| Bit mask | Description |
|---|---|
| 0x1 | The registry key was accessed before the registry was initialized by calling the NtInitializeRegistry () function at boot time. |
| 0x2 | Access to the registry key occurred after the registry was initialized by calling the NtInitializeRegistry () function at boot time |
The call to the NtInitializeRegistry () function, which changes the current bitmask (from 0x1 to 0x2), which is written to the registry keys when they are opened or changed, occurs after the operating system considers the boot process to be successful. Thus, registry keys, for example, opened by services in the process of their launch at the time of loading the operating system, will have access bits with the bit mask set to 0x1. In addition, if the registry key has not been opened since the access bits were cleared, then this key will have a zero value in this field.
This information can be used to select registry keys that could be opened by a malicious program (or any other) running as a service, or opened in general in recent times, as well as to screen out unused registry keys.
It should be noted that in the Windows kernel there is not a single function that allows you to get the current value of the access bits for any registry key, which suggests the idea of ​​the debugging nature of the access bits.
Demonstration
As an example, we will examine in the hexadecimal editor a registry structure that describes the key "\ ControlSet001 \ Services \ RServer3" (registry hive "SYSTEM") immediately after installing the Radmin software, before rebooting, and after rebooting the operating system.
Registry key structure (before reboot) Registry key structure (after reboot)In the illustrations above, the bytes in the “Access bits” field are underlined in red, which changed when the operating system was restarted (a value of 3 indicates that bit masks 0x1 and 0x2 are set).
findings
The access bits are small, undocumented Windows functionality, most likely created for debugging purposes, which can be used to track unused registry keys and to track registry keys opened during the pre-load operation of the operating system.
Unfortunately, at present, most programs for viewing an inactive registry do not support the processing and visualization of access bit values.
Source: https://habr.com/ru/post/329568/
All Articles