PSInfo v1.78
52 views
Skip to first unread message
OmenScan
Dec 9, 2017, 12:00:05 PM12/9/17
to Forensic Utilities Artifacts
Source:
https://download.sysinternals.com/files/PSTools.zip
Hash:
PSInfo Hash MD5 - 624adb0f45cbb9cadad83c264df98891
PSInfo Hash Sha1 - e839ce1e0446d8da889935f411f0fb7ad54d4b3e
https://download.sysinternals.com/files/PSTools.zip
Hash:
PSInfo Hash MD5 - 624adb0f45cbb9cadad83c264df98891
PSInfo Hash Sha1 - e839ce1e0446d8da889935f411f0fb7ad54d4b3e
Command line:
PSInfo.exe /accepteula -s > D:\Info.dat
Process:
- Login To VM
- Start Windows Explorer
- Copy program to Root of D:
- Start Elevated Command Prompt
- Select D: drive by typing in: D:
- Start Regshot-x64-ANSI
- Set Max Data to Show 0
- Set Output Directory to D:\
- Do First Shot and Save
- Run Utility program from Command Prompt
- PSInfo.exe /accepteula -s > D:\Info.dat
- Run Second Shot And Save
- Compare And Output
- Notate Differences from Baseline.
Unique Changes Results:
Unique Registry Key Additions (Not in snapshot baseline)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\RebootWatch
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\WHCIconStartup
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals\PsInfo
Unique Registry Values Added (Not in snapshot baseline)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS\UpdateCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Security\000c07e1-0006-0002-1100-04001500b601
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security\000c07e1-0006-0002-1100-04001500b601
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Sysinternals\PsInfo\EulaAccepted
Unique registry Value Modifications (Not in snapshot Baseline)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\WmiLastTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\WmiLastCrimDataTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\WSqmConsLastRunTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\NextSqmReportTime
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.104\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkr
Unique File Folder Additions (Not in snapshot baseline)
None
Unique File Deletions (Not in snapshot baseline)
None
Unique File Additions (Not in snapshot baseline)
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx
Unique File Attribute Modifications (Not in snapshot baseline)
C:\ProgramData\Microsoft\RAC\StateData\RacWmiEventData.dat
C:\Users\All Users\Microsoft\RAC\StateData\RacWmiEventData.dat
C:\Windows\AppCompat\Programs\RecentFileCache.bcf
Non-Unique Changes Results:
Non-Unique Registry Key Additions (Generated by the snapshot process)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\BITS Writer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\BITS Writer
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hiv\OpenWithList
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\hiv
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017120220171203
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Non-Unique Registry Value Additions (Generated by the snapshot process)
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\1
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.hiv\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInner
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\hiv\0
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017120220171203\CachePrefix
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017120220171203\CachePath
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017120220171203\CacheOptions
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017120220171203\CacheRepair
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017120220171203\CacheLimit
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection
Non-Unique Registry Value Modifications (Generated by the snapshot process)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\cval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance\Performance Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VolSnap\Volume{4ffd83c1-d26b-11e7-9862-806e6f6e6963}DeleteProcess (Enter)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VolSnap\Volume{4ffd83c1-d26b-11e7-9862-806e6f6e6963}DeleteProcess (Leave)
HKEY_LOCAL_MACHINE\SYSTEM\RNG\Seed
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\VolSnap\Volume{4ffd83c1-d26b-11e7-9862-806e6f6e6963}DeleteProcess (Enter)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag\VolSnap\Volume{4ffd83c1-d26b-11e7-9862-806e6f6e6963}DeleteProcess (Leave)
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
HKEY_USERS\S-1-5-21-1543496532-2964303708-3078955209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Q
Non-Unique Folder Addition (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017120220171203
Non-Unique File Deletion (Generated by the snapshot process)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h
Non-Unique File Addition (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017120220171203\container.dat
C:\Users\4n6Test\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\Baseline1.hiv.lnk
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\Data Volume (D).lnk
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
Non-Unique File Attribute Modification (Generated by the snapshot process)
C:\Users\4n6Test\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
Reply all
Reply to author
Forward
0 new messages