Windows.Registry.BackupRestore

This artifact will return BackupRestore configuration.

Applications that request or perform backup and restore operations can use these keys to communicate with each other or with features such as the Volume Shadow Copy Service (VSS) and Windows Backup.


name: Windows.Registry.BackupRestore
author: Matt Green - @mgreen27
description: |
    This artifact will return BackupRestore configuration.

    Applications that request or perform backup and restore operations can use
    these keys to communicate with each other or with features such as the
    Volume Shadow Copy Service (VSS) and Windows Backup.

reference:
  - https://andreafortuna.org/2017/10/02/volume-shadow-copies-in-forensic-analysis/
  - https://docs.microsoft.com/en-us/windows/win32/backup/registry-keys-for-backup-and-restore

parameters:
 - name: KeyGlob
   default: HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\BackupRestore\**

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      -- output rows and dedup on unique values for each
      SELECT ModTime,OSPath,
        Name as KeyName,
        Data.value as KeyValue,
        Data.type as KeyType
      FROM glob(globs=KeyGlob, accessor="registry")
      WHERE NOT KeyType ='key'
      GROUP BY ModTime, KeyName,KeyValue,KeyType