Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Monitor
  New Posts New Posts RSS Feed - Remote Registry Access
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Remote Registry Access

 Post Reply Post Reply Page  12>
Author
Message
sys View Drop Down
Newbie
Newbie
Avatar

Joined: 06 February 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote sys Quote  Post ReplyReply Direct Link To This Post Topic: Remote Registry Access
    Posted: 06 February 2009 at 4:09pm
Is there any way to use the Process Monitor to track who is trying to access registry info from another machine?
 
I know which machine is trying to access the registry on another machine, I just can't figure out which application it is...
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 06 February 2009 at 5:06pm
Hi sys,

Process Monitor running on machine x will be able to see registry activity on machine x.  It will not see registry activity initiated by machine x to machine y (for example, using regedit to connect to another system's registry).  Process Monitor running on machine y will see activity related to the request made by machine x, but it will be in the context of the process servicing that request.

A few thoughts include selectively stopping processes on the remote machine to see when the registry activity of concern stops, stopping the Remote Registry service on the machine with the "target" registry (to see if any application on the remote machine complains), or changing permissions on the parts of the registry that are being accessed remotely, to see if some application on the remote machine complains.  I don't suppose the parts of the registry being accessed give any indication what the process on the remote machine may be...?
Daily affirmation:
net helpmsg 4006
Back to Top
sys View Drop Down
Newbie
Newbie
Avatar

Joined: 06 February 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote sys Quote  Post ReplyReply Direct Link To This Post Posted: 08 February 2009 at 10:37pm

The background story is this: customer A is receiving hourly intrusion detection alerts complaining that Machine X is trying to read and/or write registry entries on Server Y.

Both of these computers are running software from my company, however this software - which I know pretty well, although not 100% - does not contain any explicit code to access any Windows registry entries remotely. In fact, the only registry access that I know of is strictly local (a check which is done for licensing purposes, and only once on startup of the application).
 
Customer A is asking me for an explanation of these IDS alerts. The implication is that our software is somehow responsible, because "nothing else" is running on these machines. It's kind of a "guilty - until proven innocent" scenario.
 
Now, I am a developer, not an IT specialist. I would have expected that they would have the skills within their own IT group to track this issue down. Sadly, that doesn't seem to be the case. I am just trying to find some tool or procedure that will adequately explain what is happening.
 
Here are some samples of the messages they are seeing:
 
TESTMODE: The process '<remote application>' (as user XXXCSE\XXXTXP) attempted to access the registry key '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG' and value 'Seed'. The attempted access was a write (operation = WRITE/VALUE). The operation would have been denied.
 
TESTMODE: The process '<remote application>' (as user XXXCSE\XXXNH3) attempted to access the registry key '\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
 
TESTMODE: The process '<remote application>' (as user XXXCSE\XXXNH3) attempted to access the registry key '\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
 
I'm no expert, but these messages look pretty normal; that is, if they had been associated with local registry access. It looks like the stuff you might see when processes start up. It is the fact that it is being done remotely that is odd.
 
So, if I understand you correctly, I will have to get them to run Process Monitor on the Machine X which is the source of the remote registry access requests. Presumably, I can get them to save the recorded registry activity to a file, and then arrange to have someone filter through it looking for the activities that match the IDS alerts.
 
SYS
Back to Top
sys View Drop Down
Newbie
Newbie
Avatar

Joined: 06 February 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote sys Quote  Post ReplyReply Direct Link To This Post Posted: 08 February 2009 at 10:43pm

Shoot.

I just re-read your reply and I can see that Process Monitor will not give me what I want on either machine. I think I will suggest disabling the Remote Registry access and we'll see what happens.
 
SYS
Back to Top
Doomster1961 View Drop Down
Newbie
Newbie
Avatar

Joined: 04 February 2009
Location: Canada
Status: Offline
Points: 33
Post Options Post Options   Thanks (0) Thanks(0)   Quote Doomster1961 Quote  Post ReplyReply Direct Link To This Post Posted: 09 February 2009 at 4:06pm
I had a similar problem with Microsoft checking to see if my Windows OS was legit, which it is. I had the Remote Registry Service running and Microsoft changed my User Name access control from Admin to Limited. I have gained access back but only after I preformed Registry Scans and then Turned-off the Registry Remote Service.
 My Registry Remote Service was controlled by a different username and I didn't know the password to change it. So I used mine (Admin) and deleted the other username. I am the only one who uses this computer and I am not on a Local Network. Everything is working properly and there was no further problems with my account.
Nobody else should be accessing the Registry unless you give them permission especially Microsoft.    sys, try this link, it talks about your problem. It may help.
http://www.derkeiler.com/Newsgroups/sci.crypt/2004-06/0126.html


Edited by Doomster1961 - 09 February 2009 at 4:27pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2009 at 2:47am
Quote <remote application>
Is the actual app name given by the IDS?

Quote Process Monitor will not give me what I want on either machine
Correct - at least, not directly.

Since you  know the actual keys in question, it may be  interesting  to monitor those keys for activities to determine which processes are involved.  Is it  possible the IDS is misreporting  the process?  Perhaps the stacks of the events may hold some clue as to the nature of  the activity.
Daily affirmation:
net helpmsg 4006
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2009 at 2:58am
Originally posted by Doomster1961 Doomster1961 wrote:

I had a similar problem
I honestly don't think the items are related.  What you describe seems to be standard Windows configuration.


Edited by molotov - 10 February 2009 at 2:59am
Daily affirmation:
net helpmsg 4006
Back to Top
sys View Drop Down
Newbie
Newbie
Avatar

Joined: 06 February 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote sys Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2009 at 3:56am
Yes, sadly "<remote application>" is exactly what the IDS is reporting. If only it had been a process ID, then I might be able to get somewhere.
 
Can I ask your opinion of the particular keys being noted by the IDS? I read up on them and they seem to be pretty normal kinds of things to access in the registry - for local accesses, anyway. It's the fact that their being accessed remotely that's weird. Are they indeed normal-ish? As opposed to the traces of some malware?
 
It's almost as if the remote machine was originally cloned from the server, and then tweaked a bit to make it look different (to give it a different hostname, for example). But at some deep level, the remote machine still thinks it has the same name as the server, and the registry access is being re-routed inadvertently. I suppose that's not possible though. Bah. It's just a thought.
 
Anyway, after being hot to trot for an answer yesterday, the customer is dragging their feet today. That buys me some time to think of more options.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2009 at 4:09am
Quote they seem to be pretty normal kinds of things to access in the registry
I agree.  The Dnscache\Parameters and Tcpip\Parameters are only opened for reading, and Cryptography\RNG is opened for writing to Seed.  This seems to be a commonly updated value (try launching IE...)...

Is a sniffer / traffic monitor an option?
Daily affirmation:
net helpmsg 4006
Back to Top
sys View Drop Down
Newbie
Newbie
Avatar

Joined: 06 February 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote sys Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2009 at 4:34am
A sniffer is a possibility, as I believe that at the moment the two machines are part of a test system that is not yet in production. It would be up to the customer I guess. Some of them are indifferent, but others are hostile to the idea of sniffers. I'm not sure which one this is.
 
I've used netmon and WireShark before, but there are other people here with more expertise than I (with WireShark, mostly).  There would be a fair amount of  "normal" traffic between the two machines (mostly WCF and ODBC, with a sprinkling of proprietary stuff). Any ideas on suitable filters to prune out all but the registry-related traffic? A particular port number to watch, for example?
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down