[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r15978: Note that Windows stores a ROT-13 "encrypted" list of execut (torbrowser/trunk/docs)



Author: sjm217
Date: 2008-07-16 07:37:33 -0400 (Wed, 16 Jul 2008)
New Revision: 15978

Modified:
   torbrowser/trunk/docs/traces.txt
Log:
Note that Windows stores a ROT-13 "encrypted" list of executables and path names in the registry (!)

Modified: torbrowser/trunk/docs/traces.txt
===================================================================
--- torbrowser/trunk/docs/traces.txt	2008-07-16 11:36:47 UTC (rev 15977)
+++ torbrowser/trunk/docs/traces.txt	2008-07-16 11:37:33 UTC (rev 15978)
@@ -60,10 +60,21 @@
 modified: HKLM\Software\Microsoft\Cryptography\RNG\Seed (by vidalia.exe,
 tor.exe, FirefoxPortable.exe, firefox.exe, polipo.exe)
 
+Without Firefox installed, there appears to be no difference, although
+it is difficult to be certain since Windows makes changes to a large
+number of binary objects stored in the registry on each boot.
+
 This key is also modifed by a large number of other applications (including
 calc.exe, mspaint.exe, notpad.exe, etc...) Therefore the modification of this
 does not indicate that Tor Browser Bundle was run.
 
+Windows explorer also logs the ROT-13 encoded names of executables run in:
+ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
+
+FirefoxPortable will sometimes create a new entry, containing the path
+ to Vidalia in:
+ (HK_CURRENT_USER|HKEY_USER)Software\Microsoft\Windows\ShellNoRoam\MUICache
+
 Other traces
 ============