Registry Keys To Remove
I am asked all the time, "Which keys should I remeve" when creating applications for mass distribution. This question is usually raised when creating applications with ZENworks Snapshot utility.It amazed me how easy it was to find information regarding the registry keys that are captured. Common, how hard can it be to use Google. Sure, there are WAY TO MANY "OOOOOO"s in the name. But still, bookmark it.profentially.
During a really boring day of creating application objects for a customer, I decided to find the answers. So with ever snapshot I created, I researched the registry keys that were captured. Soon I had this really nice list. I then realized that I had another need for a application. Sigh, now I have to decide which language I will write the application in.
Sure, I could write it with perl, ruby, etc. But right now I am working a lot with C# and want to get a good grasp of the language.
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICach
From reading through these entries, my understanding of this issue is that the values that you see under the MUICache key are not placed there by the executable, but by the shell (ie, Explorer.exe). Therefore, when a technical description of malware states that the executable "creates an entry under the MUICache key", this isn't technically correct. In fact, what's happening is that the shell is creating the entry when the malware is run.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed is a seed for a cryptographic random number.
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRUHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
This is where MS Windows stores "window" positions.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams
Windows saves size and location information for up to 28 different windows. Each window's size and location parameters are stored in a subkey of the Streams key. The subkeys are assigned sequentially on a per-user basis. For example, when a new user logs on, the first window's parameters are stored in the subkey named 0. The second window's parameters are stored in a subkey named 1. After 28 subkeys have been created and a new window is opened, the parameters for the twenty-ninth window overwrite the parameters for one of the first 28 windows. When a window for which the parameters were overwritten is opened, the window opens with the default parameters for that window.
Windows stores the association for the Streams subkeys with a particular window in the following location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\UserAssist
MRU's (Most Recently Used) and MFU's (Most Frequently Used) information for the current user.