How can I find out what uses a registry key?

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

How can I find out what uses a registry key?

Postposted on Wed May 09, 2012 5:42 pm

[HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing]

DWORD "State" under that. It seems that it's related to .NET certificate junk but also at least one setting in IE Advanced Settings messes with it. It's a bitmask with the following values...

.NET settings:
Code: Select all
 1) Trust the Test Root........................... TRUE  0xA0
 2) Use expiration date on certificates........... TRUE -0x100
 3) Check the revocation list..................... TRUE -0x200
 4) Offline revocation server OK (Individual)..... TRUE  0x400
 5) Offline revocation server OK (Commercial)..... TRUE  0x800
 6) Java offline revocation server OK (Individual) TRUE  0x1000
 7) Java offline revocation server OK (Commercial) TRUE  0x2000
 8) Invalidate version 1 signed objects........... TRUE  0x10000
 9) Check the revocation list on Time Stamp Signer TRUE -0x20000
10) Only trust items found in the Trust DB........ TRUE  0x40000


IE Advanced Settings:
Code: Select all
Check for publisher's certificate revocation TRUE -0x200


Possible setting defined in WinTrust.h:
Code: Select all
#define WTPF_TRUSTTEST              0x00000020  // trust any "TEST" certificate
#define WTPF_TESTCANBEVALID         0x00000080  // Check any test certificate for validity


I think there are some values that are low, like 0x08 and 0x01, but I'm not sure where to look or what GPOs or settings might be affecting this registry key. Any suggestions?
Last edited by Scrotos on Thu May 10, 2012 3:38 pm, edited 2 times in total.
Scrotos
Graphmaster Gerbil
 
Posts: 1028
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: How can I find out what uses a registry key?

Postposted on Wed May 09, 2012 6:33 pm

regmon?
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3129
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: How can I find out what uses a registry key?

Postposted on Wed May 09, 2012 7:19 pm

Process monitor from Sysinternals suite. It's a free Microsoft backed software suite that is a must have for any software developer.
Core 2 Duo E6300, MSI P45 NEO-F, Club 3D GTX 260, 4Gb DDR2-800Mhz, Audigy X-Fi Fatal1ty Champ1on ed., 0.5Tb+1Tb Seagate Barracuda 7200.12, 630W AXP, Samsung SyncMaster BX2450, ViewSonic VP171b
Madman
Minister of Gerbil Affairs
 
Posts: 2317
Joined: Tue Apr 01, 2003 4:55 am
Location: Latvia

Re: How can I find out what uses a registry key?

Postposted on Wed May 09, 2012 10:49 pm

Madman wrote:Process monitor from Sysinternals suite. It's a free Microsoft backed software suite that is a must have for any software developer.

Slight nitpick here. Mark Russinovich and Bryce Cogswell (Damn you, Spacely!!) wrote all of the Sysinternals stuff long before they were assimilated by Microsoft. Essentially, MS realized that the Sysinternals applets fixed so many of the geeky nags inherent in NT-based Windows that they paid off the Sysinternals crew and brought it in-house. MS had no part in the development of these tools.

That said, the Sysinternals stuff is pure gold for those who need to delve into the nitty-gritty of Windows issues. My personal favorites are Autoruns and ProcMon. I do wish they'd update Rootkit Revealer.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20107
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: How can I find out what uses a registry key?

Postposted on Thu May 10, 2012 7:16 am

Captain Ned wrote:
Madman wrote:Process monitor from Sysinternals suite. It's a free Microsoft backed software suite that is a must have for any software developer.

Slight nitpick here. Mark Russinovich and Bryce Cogswell (Damn you, Spacely!!) wrote all of the Sysinternals stuff long before they were assimilated by Microsoft. Essentially, MS realized that the Sysinternals applets fixed so many of the geeky nags inherent in NT-based Windows that they paid off the Sysinternals crew and brought it in-house. MS had no part in the development of these tools.

Nitpick of your nitpick. Since Microsoft effectively assimilated Sysinternals lock stock and barrel and now host the Sysinternals content and tools, saying that it is "Microsoft backed" is in fact technically correct, in the same way that it is correct to say that Hotmail, Skype, etc. are Microsoft products even though they were originally developed by third parties.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37495
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: How can I find out what uses a registry key?

Postposted on Thu May 10, 2012 12:52 pm

Well, procmon is neat but doesn't help. I put in some filters for:

HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State

Many iexplore.exe hits when I mess with Advanced settings, but the gist is that it reads the key and sets it to the current setting and then closes the key. Only one setting I've found so far actually sets a different value but I already knew about it. I can see when the GPO gets applied periodically but that just writes a value, doesn't really tell me what value goes with what. The other values I think might be related like these:

Allow software to run or install even if the signature is invalid
Check for server certificate revocation
Check for signatures on downloaded programs

...all check the key and don't write a new value to it and then go and toggle a specific key in a different place that's particular to that function. So possibly some of the lower value bitmasks were legacy for IE 3.x and earlier? I'd buy that but I haven't yet found something that shows a depreciated listing or somethin' of that sort.

So it's a handy tool but I don't think it's going to help me divine the values that I don't already know.
Scrotos
Graphmaster Gerbil
 
Posts: 1028
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: How can I find out what uses a registry key?

Postposted on Thu May 10, 2012 3:37 pm

I dunno how to do that. As in, how do I export my current GPO in .adm or .admx format? All I see are ways to write your own and add/remove them.

A bit more info but not much: http://social.technet.microsoft.com/wik ... ogged.aspx

WTPF_TRUSTTEST -Trust any test certificate. 0x00000020
WTPF_TESTCANBEVALID - Check any test certificate for validity. 0x00000080

I'll edit the first post with the "Check any test certificate for validity" bit, I guess.
Scrotos
Graphmaster Gerbil
 
Posts: 1028
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: How can I find out what uses a registry key?

Postposted on Thu May 10, 2012 4:29 pm

So this is kind of where I'm at: http://social.technet.microsoft.com/For ... c9161396a1

Relevant bit:

The point is we are trying to set the following advanced options in IE7 to disabled:

•Check for publisher's certificate revocation
•Check for server certificate revocation
Creating this gpo supposedly should set the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

•default setting (both settings enabled): 0x00023c00 (166432)
•after manually setting both disabled: 0x23e00 (146944)
•after applying the GP preference settings: 0x002c9 (713)


So we do have those two settings set via GPO. I already know that "Check for publisher's certificate revocation" is responsible for the 0x200 difference there. And "Check for server certificate revocation" doesn't affect it. But pushing those out via GPO somehow corrupts the rest of the settings? You end up with 0x2C9?

Is this a MS bug? My solution would be to get rid of those settings via GPO and instead push out the proper registry keys for them, I guess. But it still bugs me that it's setting that funky value.
Scrotos
Graphmaster Gerbil
 
Posts: 1028
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.


Return to Windows

Who is online

Users browsing this forum: No registered users and 3 guests