![]() I had installed the Google Chrome browser in my Windows 7 system, and the “Default” value for the “.https\shell\open\command” appears as follows: You will also want to check the keys at the root of the user’s USRCLASS.DAT hive file, as well. The plugin processes information from the Software hive in a manner similar to running the “assoc” and “ftype” commands mentioned above. One such example is the MS SysInternals utilities these tools have an end-user license agreement (“EULA”) that must be accepted before the tool will run, and running the tool will create an entry in the Registry for that tool. Applications that are simply executable files copied to a directory do not generally create installation or uninstall keys, although some will leave traces in the Registry once they have actually been executed. As with those keys at the root of the Software hive, the Uninstall keys are most often the result of applications that are installed via an installation package, such as the Microsoft installer. ![]() The subkeys beneath the Uninstall key may appear to be GUIDs or readable names, and many will contain values that provide information regarding installation date, install path and source, as well as the string used to uninstall the application. Next, the Uninstall key (the key path is “\Microsoft\Windows\CurrentVersion\Uninstall” within the Software hive) should also be examined. This information can provide the analyst with some indications of installed applications. Portion of keys at the Software hive root, via WRR.Īs you can see from Figure 5.14, the system in question has the 7-Zip archive utility installed, as well as some Broadcom, Dell, and Intel applications.
0 Comments
Leave a Reply. |