[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r15978: Note that Windows stores a ROT-13 "encrypted" list of execut (torbrowser/trunk/docs)
Author: sjm217
Date: 2008-07-16 07:37:33 -0400 (Wed, 16 Jul 2008)
New Revision: 15978
Modified:
torbrowser/trunk/docs/traces.txt
Log:
Note that Windows stores a ROT-13 "encrypted" list of executables and path names in the registry (!)
Modified: torbrowser/trunk/docs/traces.txt
===================================================================
--- torbrowser/trunk/docs/traces.txt 2008-07-16 11:36:47 UTC (rev 15977)
+++ torbrowser/trunk/docs/traces.txt 2008-07-16 11:37:33 UTC (rev 15978)
@@ -60,10 +60,21 @@
modified: HKLM\Software\Microsoft\Cryptography\RNG\Seed (by vidalia.exe,
tor.exe, FirefoxPortable.exe, firefox.exe, polipo.exe)
+Without Firefox installed, there appears to be no difference, although
+it is difficult to be certain since Windows makes changes to a large
+number of binary objects stored in the registry on each boot.
+
This key is also modifed by a large number of other applications (including
calc.exe, mspaint.exe, notpad.exe, etc...) Therefore the modification of this
does not indicate that Tor Browser Bundle was run.
+Windows explorer also logs the ROT-13 encoded names of executables run in:
+ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
+
+FirefoxPortable will sometimes create a new entry, containing the path
+ to Vidalia in:
+ (HK_CURRENT_USER|HKEY_USER)Software\Microsoft\Windows\ShellNoRoam\MUICache
+
Other traces
============