fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft PowerShell Lets you Track Windows Registry Changes

Microsoft PowerShell Lets you Track Windows Registry Changes

A handy tip was shared online this week, showing how you can use PowerShell to monitor changes to the Windows Registry over time.

As Windows updates, application installs, setting changes, and malware constantly makes changes to the Windows registry, this mode would allow you to quickly spot what was changed, allowing you to diagnose issues, remove malicious entries, and see what settings have been changed.

This week, popular security and technology Twitter account SwiftOnSecurity, tweeted how they would love to see a Windows Registry Editor mode that would display all registry entries that were not created by default.

In response to Swift’s tweet, Microsoft’s Principal Security Architect in Azure Security, Lee Holmes, tweeted an example of how you could do something similar in PowerShell.

Also Read: Top 3 Simple Data Backup Singapore and Recovery Methods

Holmes’ example shows how you can use PowerShell to list all existing Windows Registry keys and store them in a $snapshot variable. Then, at a later point in time, you create a snapshot of the current Registry keys and store them in the $current variable.

The example then compares the contents of these variables to determine what Registry keys were added since you took the first snapshot.

While this is not precisely what Swift was looking for, it points us in the right direction on how you can monitor Registry changes starting with a new install of Windows, or at least a point of time in your existing Windows installation.

Furthermore, as Holmes’ example uses variables that will be removed when a device reboots, it is better to store your Registry snapshots in files to compare them later, which we describe how to do below.

Comparing Registry snapshots using PowerShell

Using Holmes’ example, BleepingComputer played around with other ways of saving Windows Registry snapshots and found that modifying Holmes’ example to save snapshots to a file provides the greatest versatility.

By using files, you can create snapshots at various points in time to be compared with later snapshots. With files, you can also compare them to Registry snapshots created on other devices.

Also Read: What is Pseudonymisation: 5 Techniques and Its Best Practices

To start, you need to create a base snapshot of the current HKLM and HKCU Registry keys that you will compare to future snapshots. Ideally, but not necessary, you would generate these base snapshots right after you install Windows.

To create the base Windows Registry snapshots, you would execute the following PowerShell commands in a Windows PowerShell (Admin) prompt to make sure you can access all of the registry keys:

dir -rec -erroraction ignore HKLM:\ | % name > Base-HKLM.txt
dir -rec -erroraction ignore HKCU:\ | % name > Base-HKCU.txt

These commands will make the Base-HKLM.txt and Base-HKCU.txt snapshot files in the current folder.

In BleepingComputer’s tests on freshly installed versions of Windows 11 and Windows 10, these snapshots have the following sizes:

Windows 11 Registry snapshots:

HKEY_LOCAL_MACHINE (HKLM):82 MB
HKEY_CURRENT_USER (HKCU):2.4 MB

Windows 10 Registry snapshots:

HKEY_LOCAL_MACHINE (HKLM):81 MB
HKEY_CURRENT_USER (HKCU):1.45 MB

Once you have created your base snapshots, you can now install programs or use your computer as usual.

After some time, if you wish to compare the current Windows registry with your base snapshots, you can create new snapshots using these commands in an admin PowerShell prompt:

dir -rec -erroraction ignore HKLM:\ | % name > Current-HKLM-$(get-date -f yyyy-MM-dd).txt
dir -rec -erroraction ignore HKCU:\ | % name > Current-HKCU-$(get-date -f yyyy-MM-dd).txt

Note: the above commands will insert the date into the Current snapshot filenames so you can determine when the snapshot was created.

Now that you have both base snapshots and current snapshots created, you can compare them using the following PowerShell command:

Compare-Object (Get-Content -Path .\Base-HKCU.txt) (Get-Content -Path .\[current_snapshot_file_name])

The Compare-Object command will compare the base snapshot with the current snapshot, and display what has been changed, as can be seen below. The SideIndicator column indicates which file contains the change.

Comparing the base and current Registry snapshots
Comparing the base and current Registry snapshots
Source: BleepingComputer

It should be noted that this method only compares Windows Registry keys and does not compare its values, which are commonly changed by Windows settings and malware.

Exporting values would also dramatically increase the size of your snapshots and require a more complicated script to compare them properly. For example, the base HKCU snapshot with Registry values on a new Windows 10 install increases from 1.45 MB to 11.6 MB, an 8x times change.

However, comparing the Registry keys is still a helpful tool that admins can automate to better troubleshoot problems on devices they manage.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us