One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8484832 |
| Date de publication | 2024-04-18 09:46:51 (vue: 2024-04-18 17:06:42) |
| Titre | The Windows Registry Adventure # 2: Une brève histoire de la fonctionnalité The Windows Registry Adventure #2: A brief history of the feature |
| Texte | Posted by Mateusz Jurczyk, Google Project Zero Before diving into the low-level security aspects of the registry, it is important to understand its role in the operating system and a bit of history behind it. In essence, the registry is a hierarchical database made of named "keys" and "values", used by Windows and applications to store a variety of settings and configuration data. It is represented by a tree structure, in which keys may have one or more sub-keys, and every subkey is associated with exactly one parent key. Furthermore, every key may also contain one or more values, which have a type (integer, string, binary blob etc.) and are used to store actual data in the registry. Every key can be uniquely identified by its name and the names of all of its ascendants separated by the special backslash character (\'\\'), and starting with the name of one of the top-level keys (HKEY_LOCAL_MACHINE, HKEY_USERS, etc.). For example, a full registry path may look like this: HKEY_CURRENT_USER\Software\Microsoft\Windows. At a high level, this closely resembles the structure of a file system, where the top-level key is equivalent to the root of a mounted disk partition (e.g. C:\), keys are equivalent to directories, and values are equivalent to files. One important distinction, however, is that keys are the only type of securable objects in the registry, and values play a much lesser role in the database than files do in the file system. Furthermore, specific subtrees of the registry are stored on disk in binary files called registry hives, and the hive mount points don\'t necessarily correspond one-to-one to the top-level keys (e.g. the C:\Windows\system32\config\SOFTWARE hive is mounted under HKEY_LOCAL_MACHINE\Software, a one-level nested key). Fundamentally, there are only a few basic operations that can be performed in the registry. These operations are summarized in the table below: Hives Load hive Unload hive Flush hive to disk Keys Open key Create key Delete key |
| Envoyé | Oui |
| Condensat | #2: 000 1–4 100 1607 1992 1993 1995 1996 2000 2024 ability above absolute access accommodate according account achieve across actual adapting added adding addition address adopted advanced advapi32 adventure after again all almost also analysis anniversary another any apart api appearance application applications archival are arguably around artifact ascendants aspects assembly assigned associate associated assume attack audit available average back backslash backwards base based basic became because because: been before began behind being below: between bigger biggest binary bit blob borrowed both brief browse bugs builds bundled but byte bytes call callbacks called can capable case cases categories: central centralized certain change changed changes character claim classes close closely code comments compared compatibility: changes compatible competing compiled complete completely complex concentrated concepts confidently config configuration confusing connection consecutive considered consistent constitutes contain context continued continues convention copy copy+delete core correspond corresponding could count counting course covers create creg current currently custom dat dat and dat hive data database dated day day: debug debut decades decompile decompiled deep deeper default delete dense descriptors design: designed despite developers development developments diagram did didn differed differencing different directly directories discovered discussion disk disprove distinction dive divided diving dll documented does doesn don dos downloadable during each earlier earliest early easy editor editor: editors: efficient either eliminating encoded ended engine engineering enormous ensure entire entirety enumerate equivalent eras essence essentially established etc even every evolution evolve exactly examine example examples exception exceptions exe executable exhaustive exhibit exist existing expanded expanding expansion expect expensive experiment extending extent extract fact family far fast faster feasible feature features features: changes feel file files files: finally first flags flush focus follows format format enum formatted found four from full function functional functionality functionally functions fundamental fundamentally furthermore gained general get: given glance goes going good google graphical growth had handle happened has hash hasn have headers help helped here hex hierarchical high highly hints historical history hit hive hives hkcu hkey hklm hku hood how however huge hypothesis icon ida identical identified ignores illustrated image: impact implementation implemented important improved improvements include included includes including increased increasing incremental indeed index indicated indicating individual inferior info information inherited ini innovations inspect installation instructions integer intended interesting interestingly interface internal internally internals introduced introducing invisible involving isn issue its jurczyk just kernel kernelbase kernels key keys know knowledge largely larger lasting lastly later launch launched leading leaf leaves led legacy lesser let level libraries like likely limit limitations limited line lines list: lists little load loading local logging long look looked looks lookups lot low machine made magic mainly major make making managed manager managing manually many mapped marked mateusz may means meant measuring media memory mentioned menu merged methodology microsoft milestone minimal minor missing mode mode: modern modifications modify more most mostly mount mounted much must name named namely names naming native navigate necessarily necessary nested new newer next not notably noteworthy nothing notify novel now ntdll ntoskrnl number numbers objects observation obvious occurring off offered officially old ole/com one ones only open operating operation operations optimization optimizations optimizations: options order original other others over overlapping packages parent part particular particularly partition parts pa |
| Tags | Tool Prediction Technical |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.